Multifactor Authentication, Multi-Layer Protection | Information Technology | University of Pittsburgh
!

You are here

Multifactor Authentication, Multi-Layer Protection

Wouldn’t it be nice if you could protect your password with another password? Multifactor authentication does just that. Think of it like placing your housekeys in a safety deposit box that can only be opened by a facial scan.

Multifactor authentication (MFA) is a cybersecurity measure that requires anyone logging in to prove their identity in additional ways. After you enter your username and password (something only you know), you then have to prove your identity with something only you have, like a fingerprint, facial scan, or your cellphone. 

Why go through all this trouble? Because MFA makes it extremely hard for hackers to access your online accounts, even if they get access to your password. It might seem like a hassle, but once you have it set up, proving your identity adds just a second or two to the log-in process.

Here are our top tips for making MFA a breeze:

Use It Everywhere You Can

Pitt requires you to use Duo for logging into Pitt accounts and services through Pitt Passport. But your online life goes beyond just Pitt. We recommend that you implement multifactor authentication for any account that permits it, especially any account associated with work, school, email, banking, and social media. Many sites allow you to use Duo, which is super convenient.

Multifactor authentication can work in a variety of ways. Duo sends a message to your cellphone, that you can then approve or deny. Other sites may require a different MFA method, for example, inputting a code, answering a security question, or using a fingerprint/facial scan.

Pay Attention to Stay Hackproof

While MFA is one of the best ways to secure your accounts, cybercriminals have found ways to get around it — and that way is usually YOU! A hacker may try to access an account multiple times, hoping that out of confusion or annoyance, you’ll just approve the log-in.

If you are receiving a Duo (or other MFA system) log-in request and you aren’t trying to log in, do not approve the request! Instead, hit Deny and change your password for the account ASAP. You can also contact the service provider to let them know that someone is attempting to gain access to their site. (Note: when denying a Duo prompt while logging into a Pitt service, the Pitt Technology Help Desk is automatically notified so they can identify if the scam is widespread.) Also, if you used that same password for any other site, change it on those accounts too. (This is why every password should be unique.)

Have Duo Remember You

One login a day is no big deal. Having to do it every time you switch to a new service can start to be a pain. Skip the extra Duo pushes by having the service remember you. When you log in, look at the bottom of the Duo screen for the “Remember me for 24 hours” checkbox. Select it before approving the Duo authentication request. (If you can’t select/see it, click “Cancel” to cancel the prompt and refresh the Duo notification screen, so it will appear. Then select it and have Duo resend you the prompt.)

Duo login screen with Remember Me for 24 Hours option highlightedWith this option, you won’t have to log in through Duo again for 24 hours, so long as you are using the same browser on the same device. Once selected, it will remain active until you deselect it. One of the advantages here is that with fewer Duo prompts, a random prompt should capture your attention!

Register a Backup Device

Save yourself a headache by registering a backup device with Duo, just in case you forget/misplace your primary device or it loses juice and powers down. By having another device registered, like your landline, a tablet, or your Teams-based office number, you’ll have an easy backup method for logging in.

To add a back-up device, log into accounts.pitt.edu > Login & Security > Add/Manage Pitt Passport Devices. Then log in with Duo authentication by clicking on the method you want to use. From there, you can add another device/line.

Reactivate MFA With New Devices

When you get a new mobile device, you may need to reactive your MFA service, even if your new phone has the same number as your old one. That’s because most MFA services, including Duo, are tied to the hardware security module or MAC address for your device, or load a token onto it.

Duo settings with Reactivate Device setting highlightedTo reactivate Duo, log into accounts.pitt.edu > Login & Security > Add/Manage Pitt Passport Devices. Then log in with Duo by calling your number or using a passcode. From there, click on “Device Options” next to the device you want to reactivate and click “Reactive Duo Mobile.”

Make MFA as Convenient as Your Phone

These tips can help make using MFA as convenient and effective as possible, so protecting your accounts is a snap. For detailed information and instructions about Duo, see the Pitt IT Multifactor Authentication (Duo) webpage.

-- By Karen Beaudway, Pitt IT Blogger

 

* Sources include: National Cybersecurity Alliance, Duo, Pitt IT Security