Introduction

Two-factor authentication is an additional security measure required to log in to many services at Virginia Tech. The purpose of this article is to provide best practices and guidelines for effectively using 2-Factor at Virginia Tech to secure your accounts and prevent phishing and other malicious activity. To enroll in 2-Factor authentication, see Authenticating using Duo 2-Factor Authentication.

Content

• General Best Practices
  • Use Multiple Devices
  • Use the Most Secure Methods Available
• Best Practices for Departments with Access to Sensitive Data or Critical Systems
  • Understanding High-Risk Data
  • WebAuthN
    • Platform Biometric Authenticators
    • Enabling Biometric Authentication for Duo

Instructions

Use Multiple Devices

The Security and Identity team in the Division of IT recommends that you enroll a minimum of two devices as eligible for authentication. This will ensure that if one device becomes unusable you will have a backup that will allow you to access services. As a third option, you may also generate one-time use bypass codes in batches of 10 at accounts.it.vt.edu. Having these available will ensure you are able to work without interruption.    

Use the Most Secure Methods Available

To have the highest level of security, Virginia Tech recommends using only these 2-factor authentication methods:

• Duo Mobile with verified push
• Duo Mobile generated codes
• TouchID 
• Windows Hello
• Android Biometrics
• Security Keys
• Hardware Tokens
• Yubikey passcodes

When you first enroll in and set up 2–factor authentication Duo will suggest the most secure method available. Two factor authentication is the best defense against hacking and phishing attacks. The Security and Identity team at Virginia Tech does not recommend using SMS (text message) or Voice as a second factor, because these offer a low level of security. SMS and Voice authentication methods will be phased out of the available options in the near future. 

Understanding High-Risk Data 

Anyone who may access High-Risk Data at Virginia Tech should be familiar with the Standard for High Risk Digital Data Protection and choose the most secure 2FA options available to them in order to protect this data. 

Virginia Tech has defined six specific types of data as Personally Identifiable Information (PII) in the Standard for High Risk Digital Data Protection:

1. Social Security number
2. Credit card number
3. Debit card number
4. Bank account number
5. Driver’s license number
6. Passport number

You can learn more about learn more about Data Protection in this Knowledge Base article.

WebAuthn 

WebAuthn is a web standard that enables secure authentication and satisfies the requirement of 2FA and provides a simple user authentication experience.

Examples of WebAuthn include Roaming Authenticators, like a Yubikey which travels with you, or Platform Biometric Authenticators which are built into your device such as Touch or FaceID.

Virginia Tech Security and Identity, a unit within the Division of Information Technology, recommends the usage of strong phishing-resistant types of 2FA. Using WebAuthN as your second factor is one of the best ways to protect yourself against phishing attacks.

If you access high risk or sensitive data, you should only use secure WebAuthn authentication methods.

You can read more about WebAuthn at the WebAuthn Guide.

Platform Biometric Authenticators

Platform authenticators are authentication methods built into the device you use to access services and applications protected by Duo. Examples of platform devices would be Touch ID on Mac, Face ID on an iPhone, Windows Hello, and Android biometrics. 

For more information about platform authenticators as well as detailed instructions visit the Duo Knowledge Base for Platform Authenticators. 

Enabling Biometric Authentication for Duo

1. Open an incognito or private browsing window.
2. Go to OneCampus. 
3. If the page appears dark with text overlaid, click the page to dismiss the overlaid text.
4. If any OneCampus announcements pop-up, after reading the text, click the appropriate button to dismiss the pop-up.
5. Near the top-right corner of the page, click Sign In.
6. From the drop-down that appears, click Sign In.
7. Type your credentials.
   1. In the Username text box, type your VT Username (PID), which is the first part of your @vt.edu email address.
   2. In the Password text box, type your VT Username (PID) passphrase.
   3. Click Login.
   4. When the Duo Universal Prompt window appears select Other Options 
8. On the next screen select Manage Devices
9. Verify your identity using one of your existing 2-Factor authentication methods and then you will be directed to the Device Management page.
10. Select Add a Device 
    1. Select the biometric option you want to use.
    2. Follow the on screen instructions to add the device.
11. The authentication method is now added to your Duo account

Note: The exact steps and availability of Touch ID and biometric features may vary based on browser versions and operating systems. Always ensure your software is up to date to access the latest security features.

For more detailed guidance, refer to the Duo Knowledge Base articles below

• Directions for Adding a Device 
• WebAuthn Supported browsers