To help protect private and sensitive data, WVU employees will have to confirm their identities in two ways to gain access to many critical systems, starting in 2018. Two-factor authentication is a second layer of security besides your password. It means you will have to confirm your identity with two things –something you KNOW and something you HAVE.
About 360 staff, students and faculty are already using WVU’s two-factor authentication service, Duo, in a pilot that Information Technology Services has been conducting for many months. Most testers find that after the initial setup, two-factor authentication is fast and easy, taking only seconds to complete using the free smart phone app.
Many people already use two-factor for online banking and shopping. Social media sites ask you to confirm your identity when you try to log in from a new device or location, and you may have to enter your ZIP code when you use a credit card to buy gas. That’s two-factor at work. Even the State Auditor’s Office is now offering it on the MyApps site, where you can check your pay stub. Two-factor is also used by leading higher education institutions: Duke, Stanford, Virginia Tech, Boston University, Princeton and Yale are among Duo’s customers.
WHY ARE WE DOING THIS?
- In 2018, WVU must comply with the Payment Card Industry Data Security Standard (PCI DSS). This applies to any company or institution that accepts, stores, processes or transmits credit card payments and card holder data.
- Passwords alone aren’t good enough anymore when it comes to protecting sensitive data, personal information, and our systems and networks. More than 60 percent of confirmed data breaches involved weak or stolen passwords credentials.
- In February 2017 alone, ITS blocked 445 web addresses linked to phishing scams, or attempts to steal your credentials. We also blocked more than 4.5 million pieces of spam and nearly 870,000 threats to our network that month, while deleting nearly 1,500 viruses. We publish recent statistics on our website.
- A large security breach of personal data could result in big costs to the University, which would be required by state law to offer one year of credit protection services to each affected user. Our cyber-insurance policy currently carries a $255,000 premium; credit protection costs would be reflected in our renewal rates. The potential damage to our institutional reputation can’t be quantified in dollars.
Voluntary enrollment for those interested in joining the pilot will begin with the fall 2017 semester. Starting in February 2018, the use of two-factor authentication will be required on all WVU campuses. The program will be rolled out gradually, with onsite support from ITS for departments and colleges in Morgantown, and at the Keyser and Beckley campuses.
ITS will also be offering hardware options for people who don’t use smart phones. We’ll have more on that later this summer. Meanwhile, you can find the answers to many other Frequently Asked Questions about two-factor authentication online. Please direct questions or concerns to TwoFactor@mail.wvu.edu.