Two-Factor, Two-Step or Multi-Factor Authentication

Content

 Click here to expand...

Description

This article is going over what Two-Factor. Two-Step or Multi-Factor Authentication

What is Two Factor, Two-Step or Multi-Factor Authentication

Two-Factor (2FA), Two-Step or Multi-Factor (MFA) Authentication is a security method used by several systems in addition to just the username and password method.

This usually involves another device or list of passcodes that need to be entered after the initial log in.

What is required to use this?

Service supporting Two-Factor, Two-Step or Multi-Factor Authentication

Several services, like Google and Amazon, will offer it as 2-Step Verification or refer to it as adding an Authenticator.

As of December 2020 MFA or a VPN is required for UCPATH and other certain secure websites at UCSB, such as those dealing with financial, job, and personnel matters.

A smartphone, tablet, RSA token device or Authenticator device

Items like an RSA Token device as seen here

RSA Token Device (aka RSA FOB)

These have been used for some sites but with smartphone apps such as Duo (Website or App Store) or Google Authenticator (Google Play or App Store), you can make your smartphone or a tablet device act as an Authenticator device for such sites.

To request a RSA token device please see: https://www.it.ucsb.edu/mfa/requesting-and-using-hard-token

Why should we use Two Factor Authentication?

The point of the Two Factor Authentication is to help verify that you are the person accessing the site in question.

Often times, passwords get compromised, however, an Authenticator is a special key that only you should have on hand.

Apps like Duo, Google Authenticator or the RSA Token Device will have a random number generated for a short period of time that it is validated by the server.

So while someone can steal your password, the second step will make it a little difficult for someone to access your account if they don't have your authenticator.

This is also handy for situations such as accessing something sensitive on a computer that is in public, as it is easy to capture passwords on a shared computer that is compromised, but with an authenticator, it makes it much harder to exploit that.

How do I set up Two Factor Authentication?

It will depend on the service you are with.

For the most part, just log onto the service you want to enable and follow the instructions.

UCSB uses Duo for UCPath and several other services and has instructions posted per service as well as general instructions

https://www.it.ucsb.edu/mfa/getting-started-mfa-duo

https://www.it.ucsb.edu/mfa/adding-multiple-devices-mfa-duo

https://www.it.ucsb.edu/mfa/enroll-replacement-cell-phone-same-number-duo (choose this if you are replacing a cell phone with a newer model of the same brand with the same number)

https://www.connect.ucsb.edu/usage/google-apps/activating-2-step-verification (choose this option if you want to use google's built in mfa ability or do not have a UCSBnetID and hence cannot use DUO)

What are the drawbacks with having this setup?

Have to authenticate almost every time you log in.

In most cases, especially if you are connecting with a device or computer that you don't own, you will have to prove who you are every time.

Which means you will need to have the authenticator available almost all the time.

Difficult to recover

If your authenticator gets misplace, damaged or stolen (ie. your phone or tablet), you may need to go through some extra hassle and time to get things cleared up with the service to help you re-establish your account access.

https://www.it.ucsb.edu/mfa/enroll-replacement-cell-phone-duo

Certain services require a different way to access for apps

In the case of GMail, where some people like to use Thunderbird or some other Mail Client program, which only knows how to handle Username and Password, this can cause problems with access as they don't support a means to make use of the Two Factor Authentication.

You may have to refer to that service's alternative password means, such as Google's App Password service, which generates a unique password to be used for a particular application. (Reference: https://support.google.com/accounts/answer/185833?hl=en)

This also happens if you use a Personal GMail account trying to access your UCSB Connect EMail for sending purposes.


NOTICE REGARDING Functional Accounts and Google 2 Step Verification:

The memo below is being sent to the Dlist-l listserv.  Thank you for serving as one of the representatives for your department to receive this memo.  Please distribute this message to colleagues in your department.

*********PLEASE GIVE WIDEST DISTRIBUTION**********


October 4, 2022

TO:   UCSB Campus Community

FR:    Emilio Valente, Chief Information Security Officer, Information Technology

         Services (ITS)

         Manny Cintron, Director Application and Technology Services, ITS

         Jim Woods, Interim Director, Cloud and Identity Services, ITS

RE:    Enable Google Two-Step Verification on Functional Accounts by Nov. 1

Dear Colleagues, 

At UCSB, we are constantly working to enhance cybersecurity. Most of the campus community is already using DUO to authenticate login activity for personal accounts. Beginning November 1, any account known as a Connect Functional Account (printers, fax machines, shared account management) will need to log in with Google’s two-step verification (known as Google 2SV). For our colleagues using functional accounts, the following information is provided to complete the set-up process.

What is a Connect Functional Account?

Connect functional accounts are Google Workspace accounts that belong to a function; this could be a role, such as student receptionist, or a device, such as a fax machine or printer. For shared functional accounts, you can delegate access to the account. More information on that can be found at: connect.ucsb.edu/training-support/connect-user-guides/google-workspace-email/delegating-access-your-account.

Between October 18 and November 1, any time a Connect functional account without 2SV enabled logs in via a web browser, it will remind the user to sign up with the notification, “2SV Enforcement is Coming.” After November 1, users will be unable to access their Connect functional accounts without contacting a service desk for help.

  

How to Set Up Google 2SV: connect.ucsb.edu/training-support/connect-user-guides/google-workspace-email/enabling-googles-2-step-verification


Step 1: Log into your functional account at myaccount.google.com/signinoptions/two-step-verification/enroll-welcome.


Step 2: Follow the on-screen instructions to turn on 2-Step Verification. 

After you set up 2-Step Verification, you can sign in to your account with your password or your phone.


Step 3: Verify it’s you with a second step using Computer/Android/iPhone/iPad: support.google.com/accounts/answer/185839.

After you turn on 2SV, Google will ask that you complete a second step to verify it’s you when you sign in to help protect your account.


Why?

As you may already know, two-step verification helps prevent malicious actors from accessing UC Santa Barbara information and accounts. Even if someone has stolen your password, they will need a “second factor” — usually a temporary numeric passcode sent via SMS or an authentication prompt on a mobile phone app — to access your account.


Who can I contact for help?

Thank you for your flexibility and support as we move our campus services forward in security compliance.