Information about what multi-factor authentication is, what options you have available, and how you can use it to strengthen your Tennessee Tech account.
What is Multi-Factor Authentication?
The term 'multi-factor authentication', 'two-factor authentication', or 'two-step verification', is a method of confirming the identity of a person by combining two different factors. An easier explanation of this comes down to two things: what you know, and what you have. Most people have been using it for years without really knowing it. The most common example is with banking; when withdrawing funds from an ATM, the card is inserted (something you have) and input your PIN code (something you know) to authenticate the transaction. The same applies to any situation that requires setting security questions & answers.
The Change at Tennessee Tech
With the previous password portal, the process required the setup of security questions and an email address. If the password was forgotten or the account was locked out, the user could reset their password by accurately answering the security questions, request a temporary code be sent to their email address, or provide information to the myTECH Helpdesk for verification and reset. Because technology is always changing, upgrading the password portal was necessary in order to stay up-to-date with current standards and move to stronger methods. Anyone given enough time can figure out how to manipulate a system or people to gain unauthorized access. This is an ongoing battle, especially with the use of social media platforms and other public information sources, which can be used in social engineering attacks.
What Options Are Available?
With the new portal, there are several security options to choose from, but only the options listed below are currently available.
Security Questions & Answers: this is something most people are familiar with and understand well. This can also be referred to as 'Challenge Questions'.
Alternate Email: this option was also present in the previous portal, but had no restriction. When a user's TTU account is locked, sending a recovery code to that same locked email won't be accessible. This made reliance on the myTECH Helpdesk and other IT Services more time consuming when the user already had the power to do this. By enforcing an alternate, non-TTU email address, this ensures users can get self-help faster and go about their day.
Mobile Authentication: this new feature was one most people have not previously used, but is a stronger alternative. The majority of campus users already own some type of smart or mobile device with its own multi-factor authentication: PIN, bio-metric scanning, pattern swiping, etc. The use of a mobile application app can generate a one-time passcode (OTP) quickly, while also being unique and extremely effective.
How Can I Strengthen My Tennessee Tech Account?
More is better! Increasing the number of authentication options gives the user the best availability to access what they need. If one of the available options is forgotten, such as security questions, the user has the option to utilize the other registered options they know or have. Many large companies and several Tennessee universities already use multi-factor authentication, such as mobile authenticators, hardware tokens, etc. Enabling this can reduce hacking and spam & phishing campaigns, leaving cyber criminals' old tricks and habits useless. With MFA in place, if a user's password is compromised, the hacker must also have access to a second factor (mobile authenticator, hardware token, etc.), which is less likely.
Frequently Asked Questions
Q: I am completely lost. I need help!
A: The myTECH Helpdesk is able to assist in the Volpe Library, and available by phone at 931-372-3975. The Office of Information Security can also assist in Clement Hall 216B at 931-372-3913 or 931-372-6859. There is also a self-help guide at the IDME portal login, which details the registration process.
Q: This process is extremely long! Must I do this each time I login?
A: The initial registration process only needs to be completed once. Afterwards, the OTP (in any form) is only needed when changing the password or logging in from a new device.
Q: I don't have a smartphone or mobile authenticator available. What can I do?
A: Contact the myTECH Helpdesk in the Volpe Library, or by phone at 931-372-3975. An alternate method using hardware tokens is currently being tested and will be announced when ready.
Q: I do not have another email address. Can I continue without it?
A: No. If the TTU email is locked, sending a code to it will not be accessible. If you have concerns using your personal email, please create and register another email address expressly to be used for this authentication process.
Q: What are you going to do with my information now that I've given it to you?
A: Information entered at registration is only intended for OTP or recovery methods for the respective user.
Q: Why is changing my password so complicated now? I just want to go back to the way it use to be.
A: Unfortunately, things can't stay the same forever. Everyday a new company is involved in a security breach, affecting millions of people or more. Daily, ITS disables accounts for sending spam, and thousands of attempts are made to access TTU accounts from foreign countries. While ITS maintains appropriate security controls to combat these attacks, keeping things the same is detrimental to its users and irresponsible as data custodians.
NIST CSRC's definition of multi-factor authentication: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
Two-step verification explained by SANS: https://www.sans.org/security-awareness-training/resources/two-step-verification
Malwarebytes' take on MFA's security: https://blog.malwarebytes.com/101/2018/09/two-factor-authentication-2fa-secure-seems/