[IGPP Everyone] [EPSS Everyone] Update on Multifactor Authentication

SALYARDS, STEPHEN salyards at epss.ucla.edu
Wed Oct 11 11:38:16 PDT 2017 

Good morning,
  Over the last week I have been able to get several more important details related to the upcoming Multifactor Authentication - MFA for short. Here are some of the most important details.

First - who is affected?
As previously noted all faculty and staff of the university must use MFA starting October 31. To be precise, anyone who is an employee of the university will need to use it. On the one hand this may mean that our emeriti faculty do not need to - although I would encourage that they do. On the other hand, this means that all the students we employ in various capacities will need to have MFA, even if their work here is in no way connected to or uses their UCLA Logon ID, other than filling out the time sheet.

Second - what are your options?
The university is encouraging people to use the DUO app on their smart phones of whatever flavor as the primary method of secondary authentication for the MFA. Talking with many of you this is not a preferable option for you for a wide variety of understandable reasons. You may be interested to know that as of a couple of weeks ago only 9% of users across campus who had signed up for MFA had enrolled in this option, so our department is reflective of the campus as a whole. The DUO app does provide a number of advantages but is not required and not always preferable.

The most popular option by far is the text message with the codes. Using this method you can regularly request a new set of ten codes be sent to you and then it prompts you to use them incrementally when you log in. That is to say, a hint is given like "Your next code starts with 2." You still need a phone that can get text messages but the old flip phones will work. And if you use this method it does not work with the Cisco VPN client and it will automatically default to the phone call method.

The third and final advertised method is the phone call. You put one or more phone numbers into the record for your account and when you try to log on it will call you. The message is basically to hang up if you are not trying to log in and push any button if you are. As I said, multiple phone numbers can be on record so it will try to find you at your office, at home or on your mobile phone if you want.

And it is possible to use one or all of these methods or to use just one but switch between them. (Although certain changes are not always straight forward.)

Third - hardware solutions
The fourth, and least advertised option, is the hardware solution. There are at least two physical devices that work for this but so far I have only seen one of them in action. This is the Digipass device which is something like the old cryptocards if you have seen those back in the dim ages. (At least I have not seen one in use in the department for many years.) The bottom line is that it is a little device like a car remote key fob that you push the button and it displays a code like you would get with the text message to your phone. The advantage of course, besides the fact that you don't have to find the text message, is that you don't need phone service, or even need a phone for that matter, at the time you are logging in.

Several people have asked "What if I lose it?" It turns out it can be easily replaced and the new one associated with your account.

One thing to know about the hardware device is that you must have set up MFA on your account before you can register the device. So do the phone call method and then register it.

If you are interested in seeing the hardware device I am carrying it around so stop me and punch up a few code numbers on it.
And as I indicated earlier, there are other hardware solutions and I will report back later after I go to a demo of those tomorrow.

I hope this helps you in adopting MFA. As always, check with myself or Rod if you have questions
Take care
Steve Salyards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igpp.ucla.edu/pipermail/everyone/attachments/20171011/1df375f6/attachment.html>
-------------- next part --------------
_______________________________________________
Everyone mailing list
Everyone at dept.epss.ucla.edu
http://dept.ess.ucla.edu/mailman/listinfo/everyone

More information about the Everyone mailing list