Because of University of York’s role as a research institution, Richard’s team had the two-pronged objective of needing to offer users wide access while also keeping sensitive and confidential data secure. “A lot of our work is around partitioning and creating areas where data can be handled securely while still maintaining a very open research and teaching environment,” he said.
This challenge was exacerbated by the fact that the university’s existing user authentication solution was in place for many years. Naturally, some users were hesitant to make the transition to two-factor authentication (2FA) to get root access, so Richard sought a frictionless solution that wouldn’t create new barriers.
A secondary concern, similar to many of their peers in academia, the University of York community struggled with phishing. Richard explained, “We have a huge number of people getting phished every year. The education is working, but it's not working at the level that we would hope.”
After trying out options like hardware tokens with RSA SecurID, Richard’s team was interested in something simpler and more straightforward that would best serve the variety of technical skill levels across the University of York community.
The recommendation to try Duo actually came from Richard’s boss. After a brief trial, it emerged as the right balance of a low-overhead, cloud-based deployment for the information security team and an accessible solution for the users.
Deploying Duo at University of York
One of Duo’s key benefits for University of York was how it protected initial entry into the network. Previously if an attacker used phishing or malware to gain access to an administrator’s credentials, they had the keys to a large amount of data; the second layer of security that 2FA provides strengthened their perimeter.
Richard’s team first rolled out Duo to system administrators, network administrators and other technical staff. It wasn’t long before other people around the university asked to get on board, which Richard was happy to oblige. “One of the really cool things about Duo Security is that you can do a small deployment and it doesn't cost you a lot of time, infrastructure or money to get set up,” he said.
Another standout about Duo was how easy it was to get users started, regardless of their level of technical skill or access granted. For example, the university’s health practitioners use a National Health Service application, which needed more fine-tuning than a one-size-fits-all solution.
As Richard detailed, “We have a VPN service and when normal users log in, they get access to the network in a particular view, firewalled and that kind of thing. If a member of IT services logs in, then we want to give them a higher level of access. In order to get onto that VPN you have to use two-factor authentication.”
Would University of York recommend Duo?
“Duo’s just been really simple, straightforward, and it hasn't got in the way of what we've been trying to do. The app is really clean and just works … in fact, it's actually fun to do two-factor auths.”