Multi-Factor Authentication (MFA) Requirement for UH Faculty, Students, and Staff
The US Department of Education Federal Student Aid Office has notified higher education institutions that the Federal Trade Commission (FTC) amended their Standards for Safeguarding Customer Information (Safeguards Rule) component of the Gramm-Leach-Bliley Act (GLBA).
As part of these amended GLBA requirements, and to safeguard personal information of consumers, UH Information Technology Services (ITS) will be requiring all active students, faculty and staff to enroll in Multi-Factor Authentication (MFA) in order to access the University's online services (e.g., Google@UH, STAR, Laulima, MyUH, etc.). This requirement will go into effect on October 2, 2023.
The new GLBA requirements are beneficial. UH has been experiencing ongoing brute force and credential stuffing attacks by cyber criminals attempting to gain access to UH usernames. Since January 1, 2023 we have averaged 20.5 attacks a month, resulting in over 52,000 login attempts in which over 49,000 users have been targeted that resulted in 35 successful logins. Duo MFA provides additional protections from unauthorized access to your UH username. Duo MFA has been available to UH users since 2016.
Affected Users
All active students, faculty, staff, and affiliates will be required to enroll in MFA by October 2, 2023. For required users, failing to enroll by October 2, 2023 will result in loss of access to UH services.
Alumni, retirees, and Departmental or Organizational UH Usernames will not be required to enroll in Duo MFA.
SEED (Na Kapuna) participants are not required to enroll in Duo MFA.
Beginning in Fall 2023, users who have already enrolled in MFA (including alumni and retirees) will be unable to opt out.
MFA Required | MFA Optional |
Faculty / Emeritus Faculty | Departmental / Organizational Usernames |
Staff | Alumni |
Students | Retirees |
Prestudents (admitted applicants and financial aid applicants) | Former Faculty / Staff (non-retirees) |
Affiliates (including Postdocs) | SEED (Na Kapuna) participants |
FAQ
- What is MFA? What is Duo?
- Am I required to enroll in MFA?
- How do I check if I am already enrolled in MFA?
- How do I enroll in MFA?
- What happens if I don't enroll in MFA by October 2, 2023?
- What methods are available to authenticate with Duo MFA?
- What if I am unable to or don't want to enroll in MFA using my smartphone as my second factor?
- What if I don't have access to any authentication methods?
- Can I request an exception to the MFA requirement?
- Can I opt-out once enrolled in MFA?
What is MFA? What is Duo?
Multi-Factor Authentication (MFA) provides a layered approach to secure access to online accounts by requiring a user to present two (or more) distinct identifying "factors" before access is granted to the account or online resource. The first factor is commonly referred to as "something you know". At UH, this "something you know" would be your normal UH Login credentials (UH Username and password). This "something you know" username and password combination has been the most common method for authentication in the industry for decades, but has significant security weaknesses: used as the sole factor for authentication, this method is susceptible to brute force, credential stuffing, and phishing attacks and should a user's credentials be compromised, would allow immediate access to an attacker.
Multi-Factor Authentication helps protect against these common types of attacks by also requiring a second factor, commonly referred to as "something you have", at login. This "something you have" is routinely something you possess - a mobile phone, tablet, landline, or physical token. When using MFA, a user will be asked for both their first factor and second factor before access is granted to the account or online resource. Confirmation that you are in possession of your second factor device and are permitting a log in is normally accomplished by requiring active interaction with the device (responding to a push notificiation on your smartphone or entering a passcode that was recieved via SMS, etc.).
As an example, consider that you've been using Multi-Factor Authentication each and every time you withdraw cash at an ATM. First, you present your debit card ("something you have") to the ATM. Next, you are asked to input your PIN ("something you know"). If either factor cannot be provided, access to your account is not granted and your money cannot be withdrawn. This makes it more difficult for a bad actor who has stolen your wallet (and thus only has one factor) from being able to withdraw your money from an ATM. You may also already be familiar with MFA as its use has become more widespread and ubiquitous for many online services from social media to online banking to gaming and entertainment.
Duo is the service that UH (and many other higher-ed institutions) uses to provide Multi-Factor Authentication. Duo provides a mature platform with several second factor methods and integrates seamlessly with UH Login.
Am I required to enroll in MFA?
All active Faculty, Staff, Students, Prestudents, Affiliates (Including Postdocs), and Emeritus are required to enroll in MFA.
Former students/alumnus, former faculty/staff, and retirees are not required to enroll in MFA, but may elect to enroll in MFA. However, once enrolled, there is no option to opt-out.
Departmental and Organizational UH Username are not required to enroll in MFA, but owners of these types of accounts may elect to enroll the account in MFA to help increase security.
SEED (Na Kapuna) participants are not required to enroll in Duo MFA.
Refer to Affected Users above to view this information in table format.
How do I check if I am already enrolled in MFA?
To check if you are enrolled in MFA, please go to the Device Registration Page.
Not enrolled
If you have not yet enrolled in MFA, you will see a “Welcome to Duo Security” prompt with a "Get Started" button present. At this point, you can begin your enrollment by clicking on "Get Started". Please visit the following AskUs article for step-by-step instructions on setting up your first device: https://www.hawaii.edu/askus/1681.
Enrolled
If you are already enrolled in MFA, you will see a prompt to authenticate to an existing second-factor authentication device(s). If you'd like to add a new second-factor device or adjust your devices and settings, you can do so by authenticating your second-factor authentication device and following the steps in https://www.hawaii.edu/askus/1681. Otherwise, you can close your browser tab or window after confirming your enrollment.
If you require any assistance determining if you are enrolled in MFA, please contact the ITS Help Desk.
How do I enroll in MFA?
To begin enrollment, please visit the the Device Registration Page. For instructions on enrolling in Duo MFA, refer to our "Getting setup for Multi-Factor Authentication" article.
*Note that several authentication methods are listed in the first section which you can select per your preference. ITS recommends Duo Push through the Duo Mobile app. It is also strongly recommended that you register at least two devices for MFA. By registering two devices, if one of your devices becomes unavailable (e.g if your phone is forgotten or lost), you still have another option to use for authentication.
If you require any assistance enrolling in MFA, please contact the ITS Help Desk.
What happens if I don't enroll in MFA by October 2, 2023?
Users who are required to enroll in Duo MFA but fail to do so by the October 2, 2023 deadline will be routed to the Duo MFA enrollment page upon their next login. UH online services that require authentication via UH Login will be inaccessible until users complete their MFA enrollment.
UH online services that will be inaccessible should users fail to enroll in Duo MFA include, but are not limited to, Laulima, Google@UH apps (including Gmail, Drive, Calendar, etc.), UH Username Management, Financial aid information, Student Employment, Kuali Financial System, Banner, UH Enterprise Dropbox, Peoplesoft, TAPS, eTravel, and Leave.
What methods can I use to authenticate? What options are available to use as my second factor(s)?
UH Login supports for the following MFA methods and second factor devices:
- Duo Push, using the Duo Mobile app on a mobile device (smartphone or tablet)
- Duo Passcode, using the Duo Mobile app on a mobile device (smartphone or tablet)
- Phone Call, using either a mobile phone or landline
- SMS Passcodes, using a mobile phone that supports SMS (text messaging)
- Yubikey Hard Token, which is inserted into your computer's USB port
ITS highly recommends Duo Push as the primary method when authenticating. We also highly recommend that users configure at least two (2) second factor devices. In this way, should a user forget or lose one of their factors (smartphone, for example), they will have an additional method to use to authenticate (landline or tablet, for example). Users can configure multiple second factor devices.
For more information on the different methods you can use and the requirements and considerations for each method, please refer to our "Which authentication method should I use?" article.
What if I am unable to or don't want to enroll in MFA using my smartphone as my second factor?
While ITS highly recommends the use of Duo Push via the Duo Mobile app, there are other methods available to those who do not own a smartphone, such as registering an iOS or Android tablet, registering a hard token, or registering a landline or non-smartphone and authenticating via phone call or SMS.
Option 1: Landline
For individuals without access to a smartphone, you can authenticate logins by using the Call Me option on a landline at home phone or office phone. To see how to setup this method, see https://www.hawaii.edu/askus/1681#landline2.
Option 2: Tablet
For individuals with a tablet or other smart device without a phone plan, as long as your device has internet connection you can authenticate through the Duo Mobile app by using the Push method. Once the Duo Mobile app is installed and setup, authentication can be performed via Duo Passcode even if your device loses internet connection. To setup this method, see https://www.hawaii.edu/askus/1681#tablet2.
Option 3: Cell Phone (non-smartphone)
For individuals without a smartphone, non-smartphones can be used to authenticate your logins via phone call or SMS. To setup this method, see https://www.hawaii.edu/askus/1681#cellphone2.
Option 4: Hard token
A hard token is a small, physical device that connects to a computer or other smart device via USB-A or USB-C. When prompted to authenticate via Duo MFA, the hard token serves as your second factor ("something you have") and is used to generate a Duo Passcode. Users may purchase hard tokens from ITS Site License for a nominal fee by visiting https://hawaii.edu/sitelic/tokens/.
What if I don't have access to any authentication methods?
Yubikey hard tokens (both USB-A and USB-C variants) are available for purchase via ITS' Site Licensing office. See https://hawaii.edu/sitelic/tokens/ for more information or to purchase a token.
Students, faculty, and staff can inquire with the ITS Help Desk for additional options.
Can I request an exception to the MFA requirement?
No. There are no exceptions to the MFA requirement. Required users must enroll in MFA. Refer to the Affected Users table above for more information on which users are required to enroll in MFA.
Can I opt-out once enrolled in MFA?
No. Users cannot opt-out of MFA. This applies to all users, including users who are not required to enroll in MFA - any former students/alumnus, former faculty/staff, or retirees who elect to enroll in MFA will not be able to opt-out.