Multi-Factor Authentication (Duo)

What is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) provides a layered approach to secure access to online accounts by requiring a user to present two (or more) distinct identifying "factors" before access is granted to the account or online resource. The first factor is commonly referred to as "something you know". At UH, this "something you know" would be your normal UH Login credentials (UH Username and password). This "something you know" username and password combination has been the most common method for authentication in the industry for decades, but has significant security weaknesses: used as the sole factor for authentication, this method is susceptible to brute force, credential stuffing, and phishing attacks and should a user's credentials be compromised, would allow immediate access to an attacker.

Multi-Factor Authentication helps protect against these common types of attacks by also requiring a second factor, commonly referred to as "something you have", at login. This "something you have" is routinely something you possess - a mobile phone, tablet, landline, or physical token. When using MFA, a user will be asked for both their first factor and second factor before access is granted to the account or online resource. Confirmation that you are in possession of your second factor device and are permitting a log in is normally accomplished by requiring active interaction with the device (responding to a push notificiation on your smartphone or entering a passcode that was recieved via SMS, etc.). 

As an example, consider that you've been using Multi-Factor Authentication each and every time you withdraw cash at an ATM. First, you present your debit card ("something you have") to the ATM. Next, you are asked to input your PIN ("something you know"). If either factor cannot be provided, access to your account is not granted and your money cannot be withdrawn. This makes it more difficult for a bad actor who has stolen your wallet (and thus only has one factor) from being able to withdraw your money from an ATM. You may also already be familiar with MFA as its use has become more widespread and ubiquitous for many online services from social media to online banking to gaming and entertainment.

Duo is the service that UH (and many other higher-ed institutions) uses to provide Multi-Factor Authentication. Duo provides a mature platform with several second factor methods and integrates seamlessly with UH Login.

MFA Requirement for UH Faculty, Staff, and Students

The US Department of Education Federal Student Aid Office has notified higher education institutions that the Federal Trade Commission (FTC) amended their Standards for Safeguarding Customer Information (Safeguards Rule) component of the Gramm-Leach-Bliley Act (GLBA).  

As part of these amended GLBA requirements (link), and to safeguard personal information of consumers, UH Information Technology Services (ITS) will be requiring all active students, faculty and staff to enroll in Multi-Factor Authentication (MFA) in order to access the University's online services (e.g., Google@UH, STAR, Laulima, MyUH, etc.). This requirement went into effect on October 2, 2023.

The new GLBA requirements are beneficial. UH has been experiencing ongoing brute force (link) and credential stuffing (link) attacks by cyber criminals attempting to gain access to UH usernames. Since January 1, 2023 we have averaged 20.5 attacks a month, resulting in over 52,000 login attempts in which over 49,000 users have been targeted that resulted in 35 successful logins. Duo MFA provides additional protections from unauthorized access to your UH username. Duo MFA has been available to UH users since 2016.

Affected Users