IAM Boosts User Security with Nov. 12 Rollout of Two-Step Verification

May 8, 2015
IAM Boosts User Security with Nov. 12 Rollout of Two-Step Verification

While it may seem like a new IT security threat makes the headlines on a daily basis, the practice of keeping end users from harm still relies heavily on maintaining strong security at login. That's why the Identity and Access Management (IAM) program at Harvard University Information Technology (HUIT) will be rolling out two-step verification (also known as multifactor authentication) on Nov. 12, 2015 in conjunction with the launch of HarvardKey, the University's new unified credential for access to services like email, desktop, and Web resources using a single login name and password.

"Login names and passwords alone are not good enough to protect our users," says Mahbubur Rahman, IAM software architect and a leader of the implementation effort. "Security threats are common these days, and our users are vulnerable to these attacks. Our IAM team is responsible for ensuring that our users can access their resources whenever they want while keeping them better protected from threats, and adding an additional factor in authentication can help."

Two-step verification is a simple but sophisticated way to increase a user's security when he or she logs in to an application or service. While the traditional method of logging in with a username and password makes use of something secret the user knows (in this case, the password), two-step verification enables another layer of security by also requiring something the user has — in the case of Harvard's solution, the user's mobile phone, to which a verification message is sent by push notification or a verification code via text message. (Users can also set their two-step verification preferences so that the system calls their pre-registered landline phone for a response, or generate a passcode in an app on their smartphone.) While two-step verification using text-message verification codes is already in use by Google, Facebook, and other services used on a daily basis by members of the Harvard Community, the IAM team hopes that the added convenience offered by push message notification — plus the option to use a landline for those who don't have or don't wish to use a mobile phone — will make it even easier for Harvard users to keep their accounts safer and more secure. Additionally, the new Harvard two-step verification solution doesn't just secure access to web apps; it also can integrate for a wealth of other environments, including VPN and Windows Remote Desktop.

Two-step verification will be available to all non-Alumni HarvardKey users, and while using the feature is optional, it's highly encouraged — both for the added layer of security offered and because, as rollout progresses, some high-sensitivity Harvard applications and services (such as MIDAS, the University's online application for managing identity data) will require two-step verification for login. The technology behind Harvard's two-step verification solution, including the smartphone app for end users, leverages solutions from Duo Security, an industry-leading provider of enterprise-grade security solutions.

"Duo is the most popular two-step verification provider in higher-education institutions, and it has a partnership with Internet2 [a research and academic consortium made up of 252 U.S. universities and more than 80 corporate partners]," notes Rahman.

Harvard application owners interested in learning more about how to implement two-step verification in their own apps and services — or those who just want to learn more about IAM's rollout plans for the two-step verification effort — can contact Gretchen Grozier, IAM community program manager, to learn more. And if you're simply excited about setting up two-step verification for your own personal login? Keep an eye on communications you'll be receiving this fall about how to claim your HarvardKey; you'll be able to quickly and easily set up two-step verification at the same time.

>> See all news from the Identity & Access Management program