Two-factor authentication is a big problem…for would-be attackers.
(co-authored by Andy Efting and Derek Spransy)
The LITS Enterprise Security Office recently completed work on a major security effort at Emory: the implementation of two-factor authentication for external access to Emory’s network.
In January of 2014, Enterprise Security prepared a business case in response to an ever increasing assault on Emory applications and the associated sensitive data. At the time, single-factor authentication (NetID and password) was proving inadequate for securing access to high value/risk systems.
One of the proposed solutions was to add a second authentication factor requiring the requester to authenticate to a system possessing two items: 1) something they know, such as a password, and 2) something they have, such as a token, or smart phone app that prompts the user for authentication approval. An attacker may possess one of these items but is unlikely to possess both.
Once approval was reached to move forward, the project team reviewed 13 vendors and selected Duo Security, which provided a user friendly, easy-to-use solution.
The process of rolling out Duo two-factor authentication to the campus began with the VPN (Emory’s virtual private network). A subset of our VPN user base was already using token-based two-factor authentication, and so it was a quick win to get those people switched over to the new, much more user-friendly system. From there we began a Duo enrollment drive for the rest of the VPN user population, and by July 2016 we had over 5000 users registered in the Duo system.
The next step was to implement Duo for Office 365 applications (primarily webmail) for the entire enterprise. That necessitated a campus-wide enrollment effort to get everyone enrolled by our target date of Oct 10, 2016. The first two months of the effort saw nearly 20,000 users self-enroll each month, and by Oct 10 we had around 50,000 users enrolled in the system. By January 2017 we had approximately 65,000, which constituted nearly the entire user population.
Once the system was fully operational for O365/webmail, it was relatively easy to begin requiring Duo for PeopleSoft HR, Student, and eventually Compass Financials. Around the same time we implemented Duo for O365, we also activated it for the Emory Healthcare virtual desktop (VDT/VDI) environment.
The Rollins School of Public Health uses Duo to protect their Citrix environment. We also have a few other websites and applications setup to use Duo. The team anticipates implementing Duo for more Emory applications in the future.
As far as peer organizations go, Emory has now set the bar high by requiring Duo for all faculty, staff, students, and healthcare workers, and for so many enterprise-wide applications. We are regularly consulted by other universities to learn how we were so successful in our Duo implementation.
The beneficial impact to Emory is very significant. Between October 2016 and January 2017, we saw a 96% decrease in compromised accounts, and a 92% decrease in the amount of phishing domains we’ve had to block. These numbers prove that Duo has had the effect of both reducing not only the number of compromised accounts we have to respond to, but has also made us a much less attractive target for phishers.
Duo-enrolled Emory employees can now have peace of mind that the risk of someone accessing their personal information, or redirecting their paychecks, is greatly reduced.
For more information, contact security [at] emory [dot] edu.