Best Practices for 2-Factor Authentication Usage at Virginia Tech


Introduction

Introduction

Two-factor authentication is an additional security measure required to log in to many services at Virginia Tech. The purpose of this article is to provide best practices and guidelines for effectively using 2-Factor at Virginia Tech to secure your accounts and prevent phishing and other malicious activity. To enroll in 2-Factor authentication, see Authenticating using Duo 2-Factor Authentication.

 

Instructions

Content

  • General Best Practices
    • Use Multiple Devices
    • Use the Most Secure Methods Available 
  • Best Practices for Departments with Access to Sensitive Data or Critical Systems
    • Understanding High-Risk Data
    • WebAuthN
    • Enrolling Platform Authenticators 
  • Enrolling in Enhanced MFA 

Instructions

General Best Practices 

 

Use Multiple Devices

The Security and Identity team in the Division of IT recommends that you enroll a minimum of two devices as eligible for authentication. This will ensure that if one device becomes unusable you will have a backup that will allow you to access services. As a third option, you may also generate one-time use bypass codes in batches of 10 at accounts.it.vt.edu. Having these available will ensure you are able to work without interruption.    

Use the Most Secure Methods Available

To have the highest level of security, Virginia Tech recommends using only these 2-factor authentication methods:

  • Duo Mobile with verified push
  • Duo Mobile generated codes
  • TouchID 
  • Windows Hello
  • Android Biometrics
  • Security Keys
  • Hardware Tokens

 

 

When you first enroll in and set up 2–factor authentication Duo will suggest the most secure method available. Two factor authentication is the best defense against hacking and phishing attacks. The Security and Identity team at Virginia Tech does not recommend using SMS (text message) or Voice as a second factor, because these offer a low level of security. SMS and Voice authentication methods will be phased out of the available options in the near future. 

Best practices for Departments when Securing Sensitive Data or Critical Systems

 

Understanding High-Risk Data 

Virginia Tech has defined six specific types of data as Personally Identifiable Information (PII) in the Standard for High Risk Digital Data Protection:

  1. Social Security number
  2. Credit card number
  3. Debit card number
  4. Bank account number
  5. Driver’s license number
  6. Passport number

 

At Virginia Tech, there are several roles responsible for data protection that are defined in the Administrative Data Management Standard as follows:

Data trustees are senior university officials responsible for planning and creating policies regarding university data management. 

Data stewards typically classify data according to the Virginia Tech Risk Classifications, define and monitor data quality, monitor data flow, and create data definitions. Their responsibilities are assigned by their respective data trustee, and the guidelines for data stewards are available online.

Other roles such as data experts, data custodians, and data managers have day-to-day responsibilities regarding business processes. They work under the direction of a data steward.

You can learn more about learn more about Data Protection in this Knowledge Base article.

 

WebAuthn 

Virginia Tech Security and Identity recommends the usage of strong phishing resistant types of 2-factor authentication.  Using WebAuthN as your second factor is one of the best ways to protect yourself against phishing attacks.  If you access high risk or sensitive data you should use only secure WebAuthN methods for authentication.

WebAuthn is a web standard that enables secure, passwordless authentication using public-key cryptography. Passkeys are user-friendly representations of WebAuthn credentials, allowing users to authenticate using biometrics (such as fingerprints or facial recognition). This satisfies the requirement of 2-factor authentication and provides a simple user authentication experience. 

You can read more about WebAuthN at the WebAuthn Guide.

Platform Authenticators

Platform authenticators are authentication methods built into the device you use to access services and applications protected by Duo. Examples of platform devices would be Touch ID on Mac, Face ID on an iPhone, Windows Hello, and Android biometrics. 

For more information about platform authenticators as well as detailed instructions visit the Duo Knowledge Base for Platform Authenticators

Enabling Biometric Authentication for Duo

  1. Open an incognito or private browsing window.
  2. Go to OneCampus
  3. If the page appears dark with text overlaid, click the page to dismiss the overlaid text.
  4. If any OneCampus announcements pop-up, after reading the text, click the appropriate button to dismiss the pop-up.
  5. Near the top-right corner of the page, click Sign In.
  6. From the drop-down that appears, click Sign In.
  7. Type your credentials.
    1. In the Username text box, type your VT Username (PID), which is the first part of your @vt.edu email address.
    2. In the Password text box, type your VT Username (PID) passphrase.
    3. Click Login.
    4. When the Duo Universal Prompt window appears select Other Options 
  8. On the next screen select Manage Devices
  9. Verify your identity using one of your existing 2-Factor authentication methods and then you will be directed to the Device Management page.
  10. Select Add a Device 
    1. Select the biometric option you want to use.
    2. Follow the on screen instructions to add the device.
  11. The authentication method is now added to your Duo account

Note: The exact steps and availability of Touch ID and biometric features may vary based on browser versions and operating systems. Always ensure your software is up to date to access the latest security features.

For more detailed guidance, refer to the Duo Knowledge Base articles below

Enrolling in Enhanced MFA

Virginia Tech continues to be impacted by phishing attacks that attempt to circumvent Duo Multi-Factor Authentication (MFA) protections. Because many people across the university have elevated access to critical systems and sensitive data, it is of vital importance that we maintain the highest level of security to enable uninterrupted support for the university’s needs. 

As part of our continued effort to maintain security the Enhanced MFA service was rolled out initially to members of the Division of IT. This service will eventually roll out to the entire university. Enhanced MFA includes the following changes to the current authentication process:

  • Disabling SMS and phone call second factor options. Users will be required to authenticate using the Duo mobile app, an external device such as a YubiKey, or a soft token.
  • The Duo mobile app will now require you to verify the Duo Mobile push with a time-sensitive, generated number as part of the push notification process.

 

You can request early adoption of the Enhanced MFA service using this service catalog item