ITS to implement mandatory two-factor authentication for VPN access, disable outdated connection protocols

Starting April 20, ITS will require all users of Case Western Reserve University’s VPN to register a form of two-factor authentication on their accounts in order to continue accessing the service. This is a change in policy to the previous VPN changes implemented in January, which introduced two-factor authentication but did not require it. ITS believes that the use of two-factor authentication will increase security for the university’s technology resource by preventing unauthorized users from gaining access to accounts even if they have the password.

Two-factor authentication increases security by requiring another form of authentication in addition to a password. These secondary forms of authentication can include a hardware key generator, an application on a smartphone or a code sent in a text message. This method of authentication ensures that unauthorized users cannot gain access to a person’s account unless they are in possession of the device used to generate the additional key.

ITS has chosen Duo Security to be the two-factor authentication provider for the new system. The company offers applications which generate the codes required for login on iOS, Android and Windows Phone compatible devices. In addition to authenticating with a code, the app allows a user to confirm their login by responding to a push notification. The application does not require an internet connection to work, so it can be used to login anywhere. If users of the system do not have access to a smart phone, login codes can also be sent by text messages, by phone or from a previously generated list of codes.

ITS recommends that at least two devices should be registered for any account. Currently devices that can be registered include landline phones, cell phones, smartphones and tablets.

Although the system is currently only available for VPN login, ITS is looking to expand the services to other login systems such as Single Sign-On, which is used to gain access to services such as Blackboard and email.

In addition to a comprehensive guide to setting up the authentication system, ITS has created a series of training videos in order to make enrolling in the system as easy as possible.

In another attempt to increase VPN security, ITS is disabling access to the network using IPsec based clients. This protocol is used in clients built into operating systems, such as Mac OS X. After this change, ITS recommends that all users of the VPN use the Cisco AnyConnect client available on their website.