Information about what multi-factor authentication is, what options you have available, and how you can use it to strengthen your Tennessee Tech account.
What is Multi-Factor Authentication?
The term 'multi-factor authentication', 'two-factor authentication', or 'two-step verification', is a method of confirming the identity of a person by combining two different factors. An easier explanation of this comes down to two things: what you know, and what you have. Most people have been using it for years without really knowing it. The most common example is with banking; when withdrawing funds from an ATM, the card is inserted (something you have) and input your PIN code (something you know) to authenticate the transaction. The same applies to any situation that requires setting security questions & answers.
Why Should I Do This?
With the previous password portal, the process required the setup of security questions and an email address. If the password was forgotten or the account was locked out, the user could reset their password by accurately answering the security questions, request a temporary code be sent to their email address, or provide information to the myTECH Helpdesk for verification and reset. Because technology is always changing, upgrading the password portal was necessary in order to stay up-to-date with current standards and move to stronger methods. Anyone given enough time can figure out how to manipulate a system or people to gain unauthorized access. This is an ongoing battle, especially with the use of social media platforms and other public information sources, which can be used in social engineering attacks.
How Can I Strengthen My Tennessee Tech Account?
More is better! Increasing the number of authentication options gives the user the best availability to access what they need. If one of the available options is forgotten, such as security questions, the user has the option to utilize the other registered options they know or have. Many large companies and several Tennessee universities already use multi-factor authentication, such as mobile authenticators, hardware tokens, etc. Enabling this can reduce hacking and spam & phishing campaigns, leaving cyber criminals' old tricks and habits useless. With MFA in place, if a user's password is compromised, the hacker must also have access to a second factor (mobile authenticator, hardware token, etc.), which is less likely.
What Options Are Available?
With the new portal, there are several security options to choose from, but only the options listed below are currently available.
Security Questions & Answers: this is something most people are familiar with and understand well. This can also be referred to as 'Challenge Questions'.
Alternate Email: this option was also present in the previous portal, but had no restriction. When a user's TTU account is locked, sending a recovery code to that same locked email won't be accessible. This made reliance on the myTECH Helpdesk and other IT Services more time consuming when the user already had the power to do this. By enforcing an alternate, non-TTU email address, this ensures users can get self-help faster and go about their day.
Mobile Authentication: this new feature was one most people have not previously used, but is a stronger alternative. The majority of campus users already own some type of smart or mobile device with its own multi-factor authentication: PIN, bio-metric scanning, pattern swiping, etc. The use of a mobile application app can generate a one-time passcode (OTP) quickly, while also being unique and extremely effective.
YubiKey: this method involves a physical hardware token, or a key, that creates a unique OTP on each interaction. These are manufactured by Yubico, and can be purchased individually for a cost. Note: IDme only supports the following models: 5 NFC, 5C, 5Ci, 5 Nano, and 5C Nano.
Tennessee Tech has worked with Yubico to obtain a discount for purchasing a device. We have conveniently provided the discount code inside of TechExpress on the profile card.
Clicking the "Show YubiKey Discount Code" button will display the code. This can be used to purchase the key from Yubico's website: https://www.yubico.com/store/#yubikey-5-series
The appropriate key must be added to your cart. At the checkout, there is a promo code section available. Insert your discount code in that box.
Here are some things to know about the YubiKey before it is purchased:
- The YubiKey discount can only be utilized from Yubico's website. Other retailers will not honor the discount code.
- This is a personal purchase and must be paid for with personal funds.
- The code retrieved from TechExpress can only be redeemed for a single purchase, after which the code cannot be used again. This can include two keys in the same cart.
- A new code cannot be generated for a user once their code has been redeemed.
- Only purchase one of the mentioned tokens above. Do not purchase the blue security key. Do not purchase the FIPS Series key. Do not purchase the YubiHSM key.
Frequently Asked Questions
Q: I am completely lost. I need help!
A: The myTECH Helpdesk is able to assist in the Volpe Library, and available by phone at 931-372-3975. The Office of Information Security can also assist in Clement Hall 216B at 931-372-3913 or 931-372-6859. There is also a self-help guide at IDme's main page, which details the registration process here.
Q: This process is extremely long! Must I do this each time I login?
A: The initial registration process only needs to be completed once.
Q: What is an OTP (one-time password)?
A: An OTP (one-time password) is a unique one-time use code sent from a trusted source to verify your identity for a login request.
Q: I don't have a smartphone or mobile authenticator available. What can I do?
A: Contact the myTECH Helpdesk in the Volpe Library, or by phone at 931-372-3975. An alternate method using a YubiKey can be utilized. A discount code is available from TechExpress. Note this is a personal purchase. For more information, please see the guide here at the YubiKey Tokens section.
Q: I do not have another email address. Can I continue without it?
A: No. If the TTU email is locked, sending a code to it will not be accessible. If you have concerns using your personal email, please create and register another email address expressly to be used for this authentication process.
Q: What are you going to do with my information now that I've given it to you?
A: Information entered at registration is only intended for OTP or recovery methods for the respective user.
Q: Why is changing my password so complicated now? I just want to go back to the way it use to be.
A: Unfortunately, things can't stay the same forever. Everyday a new company is involved in a security breach, affecting millions of people or more. Daily, ITS disables accounts for sending spam, and thousands of attempts are made to access TTU accounts. While ITS maintains appropriate security controls to combat these attacks, keeping things the same is detrimental to its users and irresponsible as data custodians.
NIST CSRC's definition of multi-factor authentication: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
Two-step verification explained by SANS: https://www.sans.org/security-awareness-training/resources/two-step-verification
Malwarebytes' take on MFA's security: https://blog.malwarebytes.com/101/2018/09/two-factor-authentication-2fa-secure-seems/