UR enforces multi-factor authentication on campus to curb phishing attempts

Editor's note: This article was updated to indicate that the rollout was completed on Nov. 1.

The University of Richmond’s Information Services completed the rollout of the mandatory use of Duo Multi-Factor Authentication on Nov. 1 for all students, faculty and staff on email in an effort to mitigate cyber threats on university-run accounts.

Since UR started the implementation of Duo MFA, there have been no successful phishing attacks that compromised any account, John Craft, the director of information security, said.

According to Craft, UR is targeted by thousands of phishing emails every day. There were four successful phishing attacks against UR emails between April and August 2022.

Information Services introduced the mandatory use of Duo MFA in tiered phases. By Nov. 1, all UR emails were transitioned to the authentication system.

Students who did not register for Duo will be unable to access their email until they do so, Craft said.

“The first few times I found it pretty annoying [because of] the extra steps,” junior Makena Gitobu said. Since then, she said she has gotten used to using the platform.

Duo is widely used in the educational space and is one of the more popular MFA solutions available, Craft said. YubiKey, another MFA solution, works in the same way but requires students to carry a USB drive and costs between $20-$70.

“It feels kind of unnecessary to use,” first-year Leo Muller said. “Maybe the first time you log in, but once you’re logged in and put your password in once, it doesn’t seem that helpful.”

Duo was a necessary next step for UR to implement MFA practices, Craft said.

College campuses are an open environment, so members of the public are able to join the campus network, Craft said. 

“We have a porous network perimeter and because of that, it is very difficult for us to say ‘well we only trust things that are on campus’ when we could have a bad actor potentially come and connect to a resource internally and try to perform malicious activity or access unauthorized resources.”

Members of the community will still be required to change their passwords every year since Duo is still not enabled for everything that uses the university account, Craft said.

Students should expect to use Duo every time they log in to their email through a web browser. However, students using their personal devices such as their phones or computers should not be prompted very frequently unless they clear the cookies or tokens from their device or change their password, Craft said.

Since the recent rollout, Gitobu said she gets a push every time she logs into her email and Bannerweb account on her personal device.

Muller said he occasionally gets Duo notifications on his personal device, but always when he uses a library computer.

“Every time we’re in the library and we log in, someone says ‘It’s Duo time!’” Muller said.

Duo has been in place for several years but has not been used in this capacity before, Craft said.

Gitobu and Muller said they first connected Duo to their UR accounts before arriving on campus their first year. Gitobu did not receive Duo notifications often until this year, she said.

Some students, including Gitobu, have had minor difficulties with Duo. 

“Sometimes I’ll approve the push, but the laptop will have a weird issue where I will have to sign in again,” Gitobu said.

Craft advises members of the community to reach out to the Help Desk if they experience any issues with Duo.

If members of the community do not want to use the Duo push system, Information Services can supply them with one Duo token for free, which generates a 6-digit passcode to enter. So far, around 80 tokens have been distributed, Craft said.

UR plans to expand its use of MFA and anticipates that it will not be as disruptive since Duo will have been completely rolled out in this phase. Reports from Microsoft and Google prove that MFA reduces the chance of credential compromise by 99.9% on sources that host sensitive data.

As the UR community becomes more accustomed to Duo, Craft warned of “Duo Fatigue,” and advises all members of the community to be careful and to make sure that when they get a Duo notification, they do not just click accept.

Contact news writer Abby Spiller at abby.spiller@richmond.edu.