Multi Factor Authentication (MFA)

What is it?
Multifactor Authentication is a security precept that requires a user to verify they are legitimate prior to accessing network resources.  In a nutshell, it requires two acknowledgements from different, independent sources to verify a user’s credentials.  Your Yale credentials (NetID and password) first and verification of your request for access (phone message, text, token) second.

Why?
In a word, security.  When you attempt to access email or networked resources (including network shares) here at Yale, MFA verifies the connection is not a malicious attempt to access data.  The user logging in from an unknown source is required to provide an acknowledgement to a request for verification – in most cases, your smart phone will ring and you simply respond and you are in.  This verifies that you are the user requesting the data that is being accessed.  If your credentials have been unknowingly compromised, MFA protects you by asking for a confirmation through something a malicious user does not have access to.

Yale Resources
Yale has a variety of resources available to help with questions, setup, issues and remote access solutions.  Documentation, can be found here.

First step is enrollment.
The info-graphic below from Yale ITS should give you a clear idea of what you need and what to do.

MFA001

Informational Videos
Yale ITS also has a series of informational videos put together which I’ve included below.  Hopefully they will help you understand what MFA is for, how to get it working and how to use it with VPN and email.

What is Multifactor Authentication? (2:49)

What is Multifactor Authentication? (Overview) (1:51)

How to install DUO mobile app (2:30)

How to use MFA when logging into CAS (2:02)

Add/Remove/Replace Enrolled Devices
If anything should happen to your confirmation device, or you want to add a device, delete a device or see what devices you have listed, you can do so by visiting the Yale University Duo SSL VPN Service Page at http://access.yale.edu/duo.

Log in as you would anything else at Yale.  If you’ve registered, you should see listed the registered device.

If you’d like to add/change/delete devices or just see what you have registered, click Manage Devices.

When you click that device, Duo contacts the listed device to verify that it is you making this request.  Once you respond, you will have access to the list and can add/change/delete your enrolled devices.

If you wish to enroll another device, you have four choices (three really, unless you have a token).

  • Mobile Phone (recommended)
  • Tablet (iPad, Nexus 7, etc.)
  • Landline
  • U2F token (requires Google Chrome 41 or higher and is usually not available unless you’ve specifically requested a token as described above).

Tokens/Fobs
For those remote users who may have need, a token or key fob can be provided to help you acknowledge MFA requests.  These key fobs/tokens are available only at the ITS Walk-in Computer Support Centers.  In order to obtain a token, you’d need to visit one of the 4 locations listed below.  The token is registered in your name at that time.

  • Bass Library, 110 Wall Street, Lower Level, Room L05
  • Whitney Avenue Office, 55 Whitney Avenue, 4th floor, phone 203-436-9045
  • 25 Science Park, 150 Munson Street, 1st floor, Room 123, phone 203-436-9838
  • Harvey Cushing/John Hay Whitney Medical Library, Sterling Hall of Medicine, 333 Cedar Street, Room LE-20, phone 203-737-1244

Yale and Duo are using what are called U2F (Universal 2nd Factor) tokens.  These are small devices that are plugged into your USB port.  You tap or press the button, and a signal is sent back to Duo recognizing your machine as registered and giving you access.  These are mainly for use by those that do not have smart phone and cannot download the Duo App.

A U2F token requires Chrome 41 or higher, so if you want to use one, make sure you have the most up to date Chrome browser installed on your machine.VPN

VPN and MFA
VPN is also coming into line with MFA and the change should be simple enough.

When you try to log in using your current VPN, you’ll be greeted by a new screen.  This screen asks you for your user name, your password and the method you use to any MFA authentication requests.

MFA-VPN-001

The instructions are pretty self explanatory and should work without incident.  Once you input the three items, and click OK, your MFA authentication notification will be sent to you.

The first two items are simple enough – your NetID and password.

The third item is one of a series of options that are dependent on how you have MFA set up.

  • If MFA calls your phone, type “phone” (no quotes).
  • If MFA sends you a push through Duo (Duo is installed on your smart phone), type “push”.
  • If MFA texts you a code, type “SMS”.

Problems or questions?
If you have any issues connecting or are experiencing any difficulty using this service while off campus, please feel free to contact me.

 

 

Comments are closed