AISA 2018: The journey to multi-factor authentication
- 18 October, 2018 08:21
Multi-factor authentication, or MFA, is fast becoming the default practice as organisations seek to bolster their security by strengthening the entry point into systems and applications. Deakin University has been on a quest to introduce MFA to all users while not adding complexity to their lives. Dushyant Sattiraju has been one of the leaders of this project at Deakin University. He spoke at the recent Australian Cyber Conference, hosted by AISA, about this work and some of the lessons learned along the way.
The focus of MFA project, said Sattiraju, was on keeping things simple. MFA systems rely on users providing at least two different pieces of information in order to prove their identity. These can be something they have, something the are or something they know he said. But "We tried to keep it as simple as possible he added". The focus on simplicity was critical.
Deakin University's IT environment is quite complex so there had to be a balance between security and usability. Getting the balance wrong would result in a major loss of credibility for the technology team and users would find ways to circumvent or bypass the system. In order to introduce MFA, Sattiraju said the university went through a five step process.
The first step has been in progress for some time. This was the enablement of a single sign-on (SSO) solution for all web-based applications. The solution in place for SSO is Shibboleth.
His team then spent time and resources on a targeted communications and education campaign to not only tell people that two-factor authentication (2FA) was coming but also telling them of the benefits in non-technical terms. Part of that was creating a website, turnon2fa.com, that provided a single point of reference for enabling MFA.
MFA was then turned on for critical apps - the so-called "crown jewels" - and deployed as an optional-but-strongly-encouraged service for all technical staff and system administrators. This was followed by enabling MFA for all key users.
As well as Shibboleth, Deakin deployed F5 BigIP for access policy management.
For MFA, the Deakin University chose Duo, which was recently acquired by Cisco, to provide the MFA service.
One of the benefits of MFA is that the risk of phishing attacks is reduced said Sattiraju. This is because authentication into systems is not dependent on a single password. The Duo solution that was chosen works with multiple devices to provide the second authentication factor including non-smart mobile phones, as well smartphone apps and hardware tokens for users that don't have a mobile phone - of which Sattiraju said there are a surprising number.
Onboarding users for MFA is completely automated. Users only need to scan a QR code and they are automatically set up for the system. When user is authenticated using MFA, they don't need to log in again for seven days unless they change IP address. If they log in at home on a laptop for example and then take the laptop to a cafe, they have to re-authenticate when they change network.
Sattiraju and his team did learn some lessons through their project. He said the technology is actually quite easy but user education about what MFA is and its benefits was harder. There was also resistance by users to using personal devices for the second authentication factor but this was overcome by Duo's flexibility in supporting hardware tokens as well as SMS and other methods for providing authentication factors.
With Duo, Sattiraju noted that the colours and user interface of the software is not customisable. One of the chief criticisms by users is that the buttons on the app don't match Deakin University’s standard colour scheme. There were also licensing issues with access for sessional staff who work at the university occasionally.
It was clear from Sattiraju's presentation that having a solid foundation, and being some way done the road with an effective SSO solution was helpful. And user education not just in what to do but why MFA is important was critical. This again highlights that security isn't always a technology issue but is highly dependent on people.
