Defense in layers

Multi-factor authentication

A new initiative is seeking to expand the use of multi-factor authentication at Waterloo. Staff from Information Systems & Technology (IST) and other departments on campus are currently engaged in the process of selecting an appropriate technology solution for the University.

What is multi-factor authentication?

Multi-factor authentication (MFA) is the use of more than one piece of secret information to authenticate a user to a computer system. Generally, logging into a student, banking, or social media account requires your public user name or email address and a secret password. With MFA, you would need to use a password, coupled with a second temporary password. This temporary password would be valid for a very short time, or might be good for only a single use. Requiring you to verify your identity using two secret pieces of information decreases the chance that your accounts can be misused by malicious hackers.

Implementing MFA at Waterloo

Additional information security controls are considered necessary in some university departments, particularly in those handling sensitive financial information. However, with the rapid increase in phishing attacks on Waterloo students, accelerating the rollout of this technology has become a priority. The recent phishing has led to students revealing their passwords to hackers, who then misuse the email accounts of those students to send spam and search for more victims.

Although the exposure of a password is still a serious matter, MFA can mitigate the effects. If a user logging into a UW website from off-campus is required to enter a second secret code, the value of the hacked account drops, as the hackers would not have that second piece of information.

For staff, MFA will offer additional security for updating their personal and banking information with Human Resources. We also have research projects on campus that allow researchers at other institutions to use and share data. Using MFA to limit access to such data not only provides additional protection, but may be mandated by contractual obligations or by regulations protecting sensitive personal information.

For the UW proposed implementation, some web applications would require an additional secret code in addition to the personal password entered before gaining access to a system. This second secret could come from one of several sources:

  • a one-time code could be sent to your mobile phone by text message
  • an automated verification call could be made to your landline telephone
  • a security USB key could be inserted into a computer to provide additional verification of your identity directly
  • a small hardware device (called a token) can be used to generate a one-use password to enter into the application's login system

A pilot project using a solution from Duo Security was carried out last year and showed that MFA would be a practical option for Waterloo.

MFA outside of Waterloo

However, you don't have to wait for this rollout to take advantage of enhanced security. You can start using MFA now for your personal internet use. Many companies, including Google, Amazon, Apple, Facebook, and Twitter offer some form of MFA on their sites by sending you unique login codes via text message. Google also has an app called Authenticator that will generate a code on your Android, Blackberry, or iOS smartphone to further authenticate your identity on Google sites.

MFA an excellent addition, but not foolproof 

Secret passwords sent by SMS are not completely immune to eavesdropping. Malicious websites that are crafted to resemble a legitimate site could harvest users' passwords and MFA passwords and then use then behind the scenes. Malware that infiltrates your computer could also harvest and misuse MFA codes. However, these scenarios all require more work or targeting on the part of the hackers, and are much harder than simply acquiring lists of stolen usernames and passwords and trying them out.

Despite the limitations of the technology, using MFA offers much better security than using a password alone, and implementing it at Waterloo will be a major advance in our information security.

Web resources

Google 2-Step Verification, https://www.google.com/landing/2step/

Instructions for turning on multi-factor authentication on major websites, https://www.turnon2fa.com