“Duo's just been really simple, straightforward, and it hasn't got in the way of what we've been trying to do.”
— Richard Fuller, Linux and Information Security Team Leader
Research-intensive university with more than 30 academic departments and research centers.
Needed a frictionless solution to handle researchers’ sensitive and confidential data securely, and protect the network from phishing attacks.
Tried other solutions, like hardware tokens with RSA SecurID, but found Duo simpler and more straightforward.
Deploying Duo’s two-factor authentication kept cost and overhead down, and end users were quick to adapt to it because the app is so clean and simple.
University of York is a dynamic, research-intensive institution working to address some of the world’s most pressing challenges by developing life-saving discoveries and new technologies. The university is home to more than 30 academic departments and research centers, with almost 16,000 students.
We spoke with University of York’s Linux and Information Security Team Leader Richard Fuller about how Duo helps secure their researchers’ data and protect the network from phishing attacks. His team oversees all technical aspects of information security and infrastructure for the university.
Because of University of York’s role as a research institution, Richard’s team had the two-pronged objective of needing to offer users wide access while also keeping sensitive and confidential data secure. “A lot of our work is around partitioning and creating areas where data can be handled securely while still maintaining a very open research and teaching environment,” he said.
This challenge was exacerbated by the fact that the university’s existing user authentication solution was in place for many years. Naturally, some users were hesitant to make the transition to two-factor authentication (2FA) to get root access, so Richard sought a frictionless solution that wouldn’t create new barriers.
A secondary concern, similar to many of their peers in academia, the University of York community struggled with phishing. Richard explained, “We have a huge number of people getting phished every year. The education is working, but it's not working at the level that we would hope.”
After trying out options like hardware tokens with RSA SecurID, Richard’s team was interested in something simpler and more straightforward that would best serve the variety of technical skill levels across the University of York community.
The recommendation to try Duo actually came from Richard’s boss. After a brief trial, it emerged as the right balance of a low-overhead, cloud-based deployment for the information security team and an accessible solution for the users.
One of Duo’s key benefits for University of York was how it protected initial entry into the network. Previously if an attacker used phishing or malware to gain access to an administrator’s credentials, they had the keys to a large amount of data; the second layer of security that 2FA provides strengthened their perimeter.
Richard’s team first rolled out Duo to system administrators, network administrators and other technical staff. It wasn’t long before other people around the university asked to get on board, which Richard was happy to oblige. “One of the really cool things about Duo Security is that you can do a small deployment and it doesn't cost you a lot of time, infrastructure or money to get set up,” he said.
Another standout about Duo was how easy it was to get users started, regardless of their level of technical skill or access granted. For example, the university’s health practitioners use a National Health Service application, which needed more fine-tuning than a one-size-fits-all solution.
As Richard detailed, “We have a VPN service and when normal users log in, they get access to the network in a particular view, firewalled and that kind of thing. If a member of IT services logs in, then we want to give them a higher level of access. In order to get onto that VPN you have to use two-factor authentication.”
“Duo’s just been really simple, straightforward, and it hasn't got in the way of what we've been trying to do. The app is really clean and just works … in fact, it's actually fun to do two-factor auths.”