University of Toronto + Duo
Enabling Secure Access in a Decentralized Higher Education Institution
The rollout of Duo has meant better protection for staff, faculty, and students working from anywhere. With a collaborative and cross-department approach to implementation, we’re able to ensure that strong user security is seamlessly adopted throughout the university.
The University of Toronto, a global leader in learning, teaching and research, chose Duo as part of its identity and access security strategy to protect academic and research contributions through strategic buy-in across distributed IT departments.
Customer Profile:
- Higher education and public research institute
- 3 campuses in Greater Toronto Area, Canada
- 124,000 users protected including students, faculty, and staff
- Duo customer since 2020
Challenges:
A prominent higher education and research institution, the University of Toronto has a commitment to curiosity and questioning the status quo. It is highly distributed, both in terms of geography, with campuses in the east and west of the city as well as the main campus, and also in terms of decision-making. Each faculty tends to have their own IT structure, reporting to their own academic leaders.
Any security change cannot be “top-down”, as it might be in a large private sector business. IT changes need to be introduced in collaboration with faculties, who enjoy a great deal of autonomy. Crucially, changes need to support the university’s mission rather than be a roadblock.
The university’s security team saw an increasing number of remote cyberattacks. In particular, phishing and MFA fatigue attacks capitalized on risks of compromised credentials to bypass authentication. While remote work has always been popular, particularly with students, it has been much more common post-COVID—and cyberattacks have sought to take advantage of this.
The University of Toronto needed a solution that would not only protect staff, students, and faculty, but would do so in a way that would enable remote work and research.
Duo's Solution:
Duo’s security solutions, combined with the right approach to roll-out, can solve the specific challenges faced by higher education institutions:
Meaningful multi-factor authentication: Duo offers a variety of authentication options along with risk-based authentication (RBA) and risk-based remembered devices to enable remote work. Varied device environments can pose a challenge to security accessibility.
Flexible, granular access management: Duo is easy to manage, and its management and enrollment can be delegated to faculties, depending on their preference—ideal for organizations without a centralized security function. Granular administrative permission options decreases risks associated with over-provisioning.
Simple and powerful integrations: Duo integrates seamlessly with virtually any application, so the independent choices of individual faculties can be supported without wholesale change. This includes the integration with Single Sign-On (SSO) identity providers such as Shibboleth.
Security alerts when under attack: Duo provides security alerts when a user is at increased risk of compromise, for example if they are on the receiving end of an MFA push-bombing or phishing attack designed to subvert authentication. This allows the university to exercise caution and reduce the risk of compromise.
Benefits for the University of Toronto:
The university introduced Duo using a staged approach, first rolling it out to staff, then faculty, and finally students. Each group had its own challenges and needs when it came to ensuring buy-in to the project and individual faculties were able to adopt a rollout strategy that worked best for them.
“The demand for remote working has been just as pronounced in higher education as in many private businesses, and it meant our need for multi-factor authentication was a priority. However, a one-size-fits-all approach was off the table— we had to find creative solutions to address the diversity of our campus, while quickly maturing our cyber capabilities”– Deyves Fonseca, University of Toronto, Acting CISO
Starting with a pilot in 2020, the roll out was completed in 2023 with strategic coalitions and phased deployments building momentum. Along with enhanced security, benefits included:
Simple and intuitive experience: Protecting over 124,000 users across 3 campuses meant that any MFA solution had to be easy to use and not result in support headaches to gain adoption traction. Technical staff implementing the solution had access to training materials and automated provisioning options. Combined with a highly intuitive user experience, any increase in helpdesk requests was minimal.
A massive reduction in account compromise: The University of Toronto saw the number of account compromises drop to near 0 (zero). Along with the obvious security benefits, there has been a huge reduction in resources wasted on recovering accounts, including time that is better spent on research and learning.
Enabling remote work through a risk-based approach: The combination of user-friendliness and security enables remote work even on personal devices, which means that faculty, students, and researchers can enjoy access at home, in the library, or even public WiFi in airports and cafes. Rather than creating friction when logging in, Duo enables uninterrupted learning and research by only stepping-up security requirements when necessary.
Retained autonomy: The ease of integration means that individual faculties have retained control over their IT systems, including the management and enrollment of MFA. This delegated management bolstered trust to roll out Duo across the organization.
Security as an enabler, not a barrier
Deyves Fonseca, Acting CISO, said:
“Working with Duo meant we could create a staged approach that meant we could bring everyone with us, through discussion and understanding. The biggest concern for most researchers when it comes to a new solution is whether it will create more friction: Will it stand between them and the work? Can they still use the software that allows them to work most effectively?”
Today, the University of Toronto is far better protected from attacks thanks to the successful rollout of Duo, seen by users as a way to ensure remote work is secure, rather than a security barrier that gets in the way of day-to-day work. The ease of use means users can be assured that they are safe and be more mindful of security in general, rather than seek out insecure workarounds. The success of the project, and the security team’s approach to buy-in, is a template for any university or large distributed institution looking to mandate MFA without creating friction, either in the user experience or between the users and security team.
“Duo enables our researchers to work safely from anywhere, has an intuitive approach, and alerts users to any potential security concerns. Its simple set of out-of-the-box integrations means that users don’t have to worry about moving to software that doesn’t work for them. Rather than create friction, it gives our users reassurance and freedom to work where they please.”
