wiki:mfa

Version 11 (modified by dabantz@…, 10 years ago) (diff)

--

Two-factor Authentication

Two-factor authentication requires users to provide a "second factor" in addition to the correct password to authenticate and gain access to resources. If your password is "something you know", the second factor can be described as "something you have" such as your working telephone or smartphone. [In principle the second - or third - factor could be "something you are" such as fingerprint or voiceprint recognition.]

The UA Identity Provider has been extended to allow use of two-factor authentication using Duo Security. When two-factor authentication is invoked (as described below) you will first provide your identifier and UA Password just as you usually do for most applications. If and only if your password is verified a second screen will ask for the second factor. That second factor may be one of the following:

  • replying "accept" in a request for access sent to a smartphone app on your registered phone
  • entering a code sent via text to your registered cell phone
  • entering a code your hear in a voice call to your registered phone
  • taping an installed UBIkey token (currently requires using Chrome browser).

Duo second factor request on UA IdP login

Login page request after password verified, showing options available for 2nd factor

Any of those methods demonstrate you "have" the registered device or phone number. The smartphone app is generally regarded as the most convenient, as you do not have to type a code. Image of the Duo smartphone app showing request for login is below:

Duo_mobile_app_login_request

A one-time registration process records a user's phone number and preferred means of providing the second factor. That is, the initial registration associates a specific phone number and mode of communication with your UA Username or ID #. A single user may have multiple registered second factors; for example, you might have a smartphone that uses the Duo Security app and a land line on which you can receive a voice call providing a one-time code.

Invoking two-factor authentication

At least two means of invoking two-factor authentication are envisioned:

(1) A service can request two-factor authentication when relying on the Identity Provider to authenticate users. It does so by explicitly requesting the two-factor "authnContext" in its request. An important caveat is that the Identity Provider is not in general guaranteed to honor that request. The Identity Provider may not be capable of a particular method and default or fall back to some other method. The Identity Provider will include a precise indication of the method it did use to authenticate the user, but it is up the relying service to verify that the method used provided what that service considers an acceptable method and to respond accordingly. That is, the SP might deny access altogether if the the authentication method was not that requested, or it may allow access to some portion of the service.

The authentication context to request Duo two-factor authentication is: https://iam.alaska.edu/trac/wiki/mfa

(2) An individual user can require two-factor authentication for their identity. A user desiring higher assurance that others do not impersonate them can indicate that anyone using their UA Username or ID # will be required by the Identity Provider to use 2-factor authentication. If you invoke this option for your UA identity, anyone attempting to authenticate as you will need not only your UA Username or ID # and your UA Password but access to your registered phone in order to provide the second factor, thus making such impersonation more difficult and less likely.

Your identity requires Duo two-factor authentication if, and only if, you are designated in the UA Enterprise LDAP ("eDir") to be in the following group:

cn=security:IdP:require2factor,ou=group,dc=alaska,dc=edu

Currently (in the initial roll-out of two-factor authentication at UA) you can request this group membership and use of DuoSecurity two-factor authentication by request to IAM (email iam@…).

Enrolling and configuring your phone or other second factor

If your authentication invokes two factor authentication (via either of the methods above - because a service requires it or because you are in the security group using two factor) and you have not previously used Duo Security with UA, you will be presented with a page to automatically enroll and designate your phone number to be used for second factor.

Implementation

As of 2014-06-25 Duo Security two-factor authentication is integrated with the production UA Identity Provider.

Users can enroll and configure devices in the Duo Self Service Portal

Users may manage or add managed devices for second factor authentication in Duo's Self Service Portal. AFTER successful initial authentication to any service, users may checking the "Manage devices" button instead of the Log in > button. This will trigger a second factor authentication to one of your existing devices; upon successful submission of the second factor, users will see a control panel like the following:

Your existing enrolled devices may be managed using the "Actions" drop down menu. To enroll a new device, click on "Enroll another device" to view these options for devices:

More detailed user documentation is at http://guide.duosecurity.com/manage-devices .

Attachments