In order to safeguard our information from cyber adversaries, VCU is integrating VCU 2Factor Authentication to its Central Authentication Service.
In the cyber security field, there are three factors that can be used to identify an individual to a computer system. These factors include:
Something you know (e.g. a user name, password, answer to a question)
Something you have (e.g. a phone, an ID card, or a hardware token)
Something you are (e.g. your fingerprint, retina/iris scan, or voice print)
Traditionally, the username and password model rely only on something you know, therefore is considered single factor authentication. The weakness with single factor authentication using something you know is the fact that an adversary can usually find ways to steal this information, thus allowing the adversary to masquerade as the victim. VCU 2Factor Authentication helps to drastically reduce the usefulness of stolen usernames and passwords, as it relies on one or more other factors in proving one’s identity in addition to the username and password.
The beginning of a sophisticated cyber attack usually starts with a phishing scam. A phishing scam is a social engineering attack that utilizes phone call, email, social media or text message to trick a victim into disclosing information that he or she would normally not disclose. The end goal of phishing scams is usually the theft of login credentials such as usernames and passwords. Armed with the username and password of an individual, a cyber adversary can then masquerade as the victim, steal his or her personal information protected by those credentials, or silently compromise the organization for which the victim works while minimizing the chances of raising an alarm.
The implementation of VCU 2Factor Authentication will significantly reduce the likelihood that these stolen accounts can be used by a cyber adversary, as individual identities are verified by not only assigned login credentials, but also something the individual has in his or her possession.
VCU already deployed its VCU 2Factor Authentication solution to various authentication services, and will continue to integrate the VCU 2Factor Authentication solution with the VCU Central Authentication Service.
For VCU’s deployment of VCU 2Factor Authentication to the Central Authentication Service, VCU will utilize the combination of your eID credentials and a message delivered to your phone using VCU 2Factor Authentication provider.
VCU will integrate VCU 2Factor Authentication to all new applications protected by the Central Authentication Service. By default:
VCU 2Factor Authentication will be required for all applications protected by Central Authentication Service and used exclusively by faculty and staff (including student employees).
VCU 2Factor Authentication will be optional for all applications protected by Central Authentication Service and used exclusively by students.
A risk based approach will be taken with the VCU 2Factor Authentication implementation with Central Authentication Service (CAS), and VCU 2Factor Authentication will only be invoked from unknown and/or untrusted locations only.
All individuals using VCU 2Factor Authentication with Central Authentication Service will have the option to remember their device, so VCU 2Factor Authentication will only be invoked on the same device every 60 days.
Individuals who have never used VCU 2Factor Authentication,
will need to follow the instructions below to enroll in the service.
Individuals who are already enrolled in VCU 2Factor Authentication,
follow the instructions below to use with the VCU Central Authentication Service.
Existing applications protected by Central Authentication Service will be migrated in phases to include support for VCU 2Factor Authentication within the next 12 months.
The migration schedule for all existing applications is listed below. VCU is planning to provide this capability to all CAS protected applications throughout 2017.
Fall 2016 / Winter 2017 - Phase one
The initial implementation phase will focus on small and low impact applications and websites used by specific departments or schools. The implementation time will span across December 2016 to the end of January 2017. Applications such as selected VCU departmental intranet sites, specific online request forms and small scale single function departmental web applications will be migrated through the initial phase.
Spring 2017 - Phase two
The second implementation phase will focus on high risk (based on information handled by the applications and sites and accessibility of the applications and sites from the Internet) and medium impact applications. The second implementation phase will focus on medium sized applications that may be used by multiple departments or schools.
Summer 2017 - Phase three
The third implementation phase will focus on high risk (based on information handled by the applications and sites and accessibility of the applications and sites from the Internet) and high impact applications. This phase will focus on enterprise applications that may be used by multiple schools or the University.
Fall 2017 - Phase four
The last implementation phase will focus on large enterprise wide applications using across the University.
Additional documentation for the VCU 2Factor Authentication initiative can be found at go.vcu.edu/duo.
If your new phone has the same phone number, then all you need to do is to simply login to CAS from off campus to invoke VCU 2Factor Authentication, choose the “My Settings and Devices” link from the VCU 2Factor Authentication page.
You will be prompted to verify your identity. At this stage, simply choose the “Call me” option.
You will then receive a phone call asking you to press any key to complete your verification. At the next screen, simply click on the “Device Options” button for the device you need to re-activate.
Next, click on the Reactive DUO Mobile button.
Follow the on-screen instructions to download and activate your new device with the same phone number.
If you change your telephone number and got a new phone, then please contact the VCU IT Support Center at (804) 828-2227 or firstname.lastname@example.org to update your information in the system.
Yes! Other devices such as tablets, landlines, and even hardware tokens can be associated with your eID for the VCU 2Factor Authentication system.
To add a new device, login to CAS from off-campus to invoke the VCU 2Factor Authentication system, click on the “Add a new device” link from the VCU 2Factor Authentication page.
Next the system will need to verify your identity, simply choose “Send me a push”, “Enter a passcode” or “Call me” for your existing device to verify your identity.
Next, you will have the option to add a new device to your account. Choose the desired device, and follow the on-screen instructions to complete the setup of your new device.
If you lost your phone, you should remotely wipe your phone if possible, and contact your cellular service provider and have your phone disabled. You should also report the incident to the police if the loss of the device is the result of suspected theft. Once this is done, you should contact the VCU IT Support center and have your phone removed from your account, a temporary and timed bypass code can be generated for you while you work with your cellular service provider to replace your phone. Once you have your new phone, then you will be able to re-register your phone with the VCU 2Factor Authentication system.
You can always use the phone call or SMS text option if you don't want to install the app. To do so, at the beginning of device setup, choose the Mobile Phone option.
At the next screen, enter your phone number, check the checkbox to verify the number is correct, and hit Continue.
Next, you must verify the ownership of your device, simply choose the "Call me" or "Text me" option, enter the verification code (provided via phone call or text message), click on "Verify", and Hit "Continue"
The registration system will then prompt you to select the type of mobile device, at this screen, simply choose "Other", and hit "Continue" to bypass the DUO Mobile registration.
Please note, setting up your phone this way will not give you the DUO Mobile authentication option, and you will be required to take phone call or use a passcode (via SMS text message or a hardware token) for any future authentication. If you want to use DUO mobile in the future, then please contact the VCU IT Support Center at 804-828-2227 to re-register your device.
There are multiple options for you to complete your 2factor authentication. You can choose the phone call option if you do not wish to receive SMS text messages for authentication codes, or use the DUO Push option if you have enrolled your phone to use the DUO Mobile app.
Alternatively, if you do not wish to register any phones with the system, you may purchase and use hardware tokens for your 2factor authentication needs. YubiKey tokens support YubiCo OTP (Not the U2F only tokens) or hardware tokens supporting TOTP or HOTP can be used as hardware tokens. Once you acquire these tokens, it is necessary for you to contact the VCU IT Support Center in order to place a service request on the registration of the tokens. DUO also provides its own tokens that can be used. Please contact your IT support unit on how to acquire and register these tokens.
There are multiple options for you to complete your 2factor authentication. If you don't want to take a phone call, you can use the SMS text message option, or the DUO Push option if you have registered and installed the DUO Mobile app on your phone.
Alternatively, if you do not wish to register any phones with the system, you may purchase and use hardware tokens for your 2factor authentication needs. YubiKey tokens support YubiCo OTP (Not the U2F only tokens) is the most common form of tokens that can be used with many 2Factor Authentication systems. Alternatively, hardware tokens supporting TOTP or HOTP can also be used as hardware tokens. Once you acquire these tokens, it is necessary for you to contact the VCU IT Support Center (828-2227) in order to place a service request on the registration of the tokens.
All faculty and staff, including students workers are expected to use VCU 2Factor authentication system. Students will have the option of using 2Factor authentication to protect their personal information, but are not required to use it.
For all individuals enrolling a phone with the VCU 2Factor authentication service, the phone number of the individual is collected during the process of enrollment.
In addition to the phone number, for individuals using the DUO Mobile App, the type of device and the version of the Operating System on the device is collected. (e.g. Apple iPhone 7 with iOS 10.3)
For individuals using hardware tokens for VCU 2factor authentication service, the token's public key, secret key, and serial number is collected in order to ensure the functionality of the token.
During any login attempts into VCU IT systems, regardless of whether VCU 2Factor authentication service is used, the location information of the login attempt is collected. (e.g. Login from an IP xxx.xxx.xxx.xxx from Boston, MA). The collected information is used for identification of anomalies that may indicate the compromise of an individual's credentials.