Increased Risk
As
CIO Minton wrote in February, universities around the world, including the UO, were already high-priority targets for hackers before COVID-19. Cybercriminals try to steal credentials from UO faculty, staff, and students in hopes of gaining unauthorized access to UO systems that contain personal information, research data, and intellectual property.
Since the COVID-19 outbreak began, such attacks have only increased globally.
At the same time, the pandemic has made universities more vulnerable. The vast majority of UO students, faculty, and staff are now learning and working off campus, where it is more difficult for our institution to secure data that would typically be accessed through our campus networks.
Simple yet Powerful
Thankfully, two-step login blocks nearly 100% of attacks based on credential theft, according to research by Google and Microsoft.
At a time when everyone is adjusting to so many other changes, we’re glad to report that two-step login with Duo Security is as simple as it is powerful. The university’s IT staff, including both of us, have been using Duo for many months already and find it remarkably unobtrusive.
Most people will only have to do two-step login about once a week. Just use the “Remember me for 7 days” option. When your verification day comes, it’s as simple as tapping a button in a mobile app, entering a code, or answering a telephone call, depending on what devices you’ve registered.
Currently, Duo applies to all UO websites that use Shibboleth single sign-on—the familiar “Login Required” screen we’re accustomed to seeing in
Canvas,
Zoom,
MyTrack,
Concur, and elsewhere.
In the coming months, UO VPN and other services will follow.
Device Options
If you have a smartphone or tablet, we strongly encourage you to register it for Duo, at least temporarily.
Although
other device options exist, they’re better suited to UO’s normal campus operations, when many people have an office phone handy and it’s easier for IT staff to distribute hardware tokens.
For those who are reluctant to use a personal device for two-step login on a routine basis, you can register your device once, then write down passcodes or request
temporary emergency bypass codes. Once campus operations return to normal, you can register an alternative device and unregister your smartphone.
Getting Help
Because logging in is such a fundamental aspect of nearly everything we do at the university, some people may be concerned about how two-step login will impact them. The university and Information Services remain committed to working with IT staff throughout the UO to minimize any impacts and ensure a smooth rollout.
Together we can advance cybersecurity at the University of Oregon. Thank you for helping us achieve that goal.
Sincerely,
Jessie Minton
Vice Provost for Information Services and Chief Information Officer
Leo Howell
Chief Information Security Officer
Yes
Duo is mostly innocuous
It’s great you can run the app and it’s going so smoothly for you.
Those of us who *can’t* run the app (anyone with older/cheaper devices with outdated OS/no storage, anyone who roots a device for other personal purposes, or anyone who doesn’t even have a *smart*phone) are definitely feeling the sting from this.
Also, with no app, apparently the 7-day remember option doesn’t even work and you can’t generate backup codes for if your device breaks/you lose service/other drama happens.
It’s interesting that the highly paid administrators get plush car allowances, the claim being they use their cars for official work, but regular employees can’t get phone allowances for using their phones for official work.
You should not have to provide your own tools to do your work, unless you are working in a trade that is represented and the CBA that covers your position specifies you bring your own trade-specific tools. If your employer requires you to have access to data services, then locks them up, it’s on the employer to provide the key. And you should (unless UO went cheap on the features available from Duo) be able to use a token for access. Bottom line – if you use your own phone for work, you get what you pay for: the expectation that they can distribute the costs of doing business across their employees.
I’m into hating the admin as much as the next guy, but come on. Most people have a smart phone. Their is no additional cost from the app. And if you don’t have a smart phone, you should just get one. It will probably improve your life even accounting for the hassle of a duo.
Like. That said, you make me wonder if UO could fire a professor if they simply stopped using email?
Part of the issue though is that they’re assuming 100% of people have smartphones of a certain caliber or higher. If you’re poorer, you may *have* a smartphone, but the cheaper options often have older OSes (unsupported), or virtually no storage, and the difference between a $100 phone that your carrier will basically just give you and an $800+ phone that you only get if you sign a contract for a more expensive plan than you would otherwise need can be significant.
Then there’s also the issue that personal smartphones have a *lot* of access to you, and how much data apps can collect. The entire ecosystem technically gets “consent” from the user in a legal sense, but it’s consent where if you don’t agree then you don’t have a device everyone just assumes you have, and it’s “consent” with a private company.
For some folks, upgrading (and maintaining that upgrade) to be compatible with this mandate is a financial burden. For others, it represents a serious indirect invasion into privacy, as even if UO isn’t mandating something that snoops on data, it is mandating you sign up for something that *does*.
I don’t think the hate is on the idea of requiring the security, I think the concern is over the far-reaching implications that those who didn’t already have a compatible device are probably the most impacted by. There’s almost certainly a strong overlap between “people who still don’t have a smartphone in the duopoly in 2020” and “people who actually read the ToS and hold objections, so they’re gonna care about being forced to agree all of a sudden”.
The “You should just get one” attitude is, probably moreso than you likely intend it, rather close to a mindset that hurts people in edge cases, rather than examine why the system is incapable of better flexibility.
(And to be clear, I am confident you mean well. I simply get the sense you may have had fewer opportunities than some of us to observe some systemic implications in this situation, and hopefully some of our words are helping to clarify why there might exist groups who would be rightly concerned about the pressures to comply placed by making this system more burdensome in specific scenarios, rather than provide multiple options to make the service more convenient for everyone.)
Have it call your land line – simple instructions here: https://service.uoregon.edu/TDClient/2030/Portal/KB/ArticleDet?ID=107876
.
Of course this may not work if you are still using a dial phone, or have tapped into the phone system with your dad’s old Army field telephone: https://youtu.be/kz-yytNbOyc?t=35
Yes, I’m holding on to my perfectly serviceable iPhone5 as long as I can, especially in these uncertain times when I don’t know if my pittance of a classified salary will be commandeered by my betters.
Would that include PPE? Because I hear management thinks masks should be provided by your union….
If one looks carefully at carefully worded guidance that will be forthcoming, you likely will be recommended to wear a mask, rather than required. This is part of that; another part is that if your employer requires you to wear protective gear, there are federal (and likely similar state) laws that mandate documented training in use of protective gear. This ain’t a union thing, per se, it’s a statutory thing, influenced by the state of emergency or absence of one, and workplace safety laws. Essentially, workplace safety is the responsibility of the employer. See 29CFR 1910.132(b) and (d)(2)
Been using it for over a year with no problems. I love it.
When it says, “The list of UO services protected by Duo will include Office 365 starting June 3,” what does this mean? Every time I use my computer, I’ll have to do the two-step log-in?
Just once a week. I hope.
What I *hear* is that local apps (Outlook*, Teams, OneDrive) and the web interfaces (anything Microsoft and cloud-based, so pretty much all Office stuff in your browser) will want to verify, and will supposedly also offer the once-a-week thing* (again, supposedly that option requires push authentication, which requires the app).
Alas, getting into an early test group is less trivial than one might hope (and I know I’m not alone in asking), so the *exact* behavior is not something I can comment on until we’re all there anyway, but it does sound like a possibility that some of us are going to get a few calls *every morning* as OneDrive tries to synchronize, and then opening Outlook and Teams, then some of us will of course need to VPN and that’s supposedly in the works to require Duo too…
——–
* Oh, when I say Outlook, that gets more complicated. The rebels using other e-mail clients will have an interesting time, because the thing actually requiring 2FA/Duo will be the cloud-based UOmail part. If your local client *doesn’t* support the 2FA, then it might well just stop working after this change? If the client *does* support 2FA, I presume it’ll work but just need you to follow whatever process it uses to comply with Duo. I kept saying Outlook because that’s technically what we’re all using, but alas, not using Outlook probably won’t make life easier.
If you install the phone app, does it mean UO has the right to track your phone information? There was something along those lines when we switched to Outlook (about the Outlook app on a phone) that was a little nerve-inducing.
Aside from the security implications (you get to the app store with a *personal* account, with *personal* ToS, so Google/Apple gets to link your personal/work accounts, and use the weaker protections of the personal one to see stuff that should maybe be contractually protected, because you “agreed” to that when “you” linked the accounts?), this is one of the serious concerns I have with the campus just *assuming* that everyone is on-board with using personal devices for work like this.
I think the strongest wordage I’ve seen to date is a mandate to immediately report it to the campus if one’s personal device is lost and it has any UO-tied 2FA tied to it (app, phone number, whatever), but the more we keep just *expecting* people to have things like Outlook and Teams and Duo, the more this is an issue the campus needs to formally spell out and stick to.
I’m guessing the tension is that formally spelling this out would cause basically *everyone* to demand work-funded devices, and there might be “budgetary concerns” over that (and the fun optics of where there is/isn’t a budget for what), so it’s probably considered easier to just let it be effectively mandated in practice without it “officially” being a “formal” rule.
Thanks, that jogs the memory – I recollect something like if you have the Outlook app, UO is able to remotely lock your phone if you report it missing. That gave me significant pause, so I stayed with the web-based option for phone use.
Most of us have to mix personal and work devices (who wants two phones?) but I don’t want my workplace to be able to infiltrate my phone.
Outlook, facebook, there are just some things that will not touch my iDevices.
Do you have to have a cell phone? Asking for friend.
A smart phone and brand tone word training are now mandatory for all faculty and staff.
This is all simplest if your friend has an Android Cell Phone;
I-phone should mostly work but it could flake out; the app is designed specifically for an android phone.
Frankly, there are better ways to do this two-step login thing,
but the UO chose this way, and hence it is most excellent or perhaps they are just tone-deaf …
I’ve got an old iphone, duo works great for me. Though I am bit worried about how the Duck coaches are going to manage it with their burner phones.
You *shouldn’t* need to have a cell phone. Duo also used tokens – basically an electronic 1-use cipher code book. It’s a little keychain fob with a button that you set up with your account. Bottom line, you shouldn’t need to have a cell phone; that said, if UO cheaps out on the features and has a plan that requires cell phones, they they have to provide it for you.
My iPhone5 is too old for the Duo Mobile app. I just registered my cell phone as my “home landline” and I get a call, press 1, and I’m in. This is also a solution for those who would rather not (further) commingle their personal phone with UO apps.
Does this work for 7 days or does it call you each time you log in? In any case it sounds easy, the instructions are here: https://service.uoregon.edu/TDClient/2030/Portal/KB/ArticleDet?ID=107876
Alas, Sir, you have uncovered the flaw in my cunning plan: I cannot choose the option to have the login last for 7 days. Off to make an appointment to get a token. Will use the cell phone as my secondary device; IT wants us to have 2 options in case the first fails/is lost/etc.
Using safari on a mac, the remember me for 7 days thing doesn’t work unless you disable “prevent cross-site tracking.” This means you have to choose between your computer’s security or constant logins, in service of UO’s security theater.
You can use a landline or cell phone or both. I added both my office landline and my personal cell and each time I can choose which phone Duo will call.
Instructions here: https://service.uoregon.edu/TDClient/2030/Portal/KB/ArticleDet?ID=107876
What a total hassle. I’d rather just not check my UO mail while abroad.
Then what happens when we’re abroad, sometime in the future when abroad is accessible again? I do not use my American cellphone when I’m abroad. I certainly don’t want to have to lug it around and charge it up all the time just so I can do the annoying two-step log-in so I can work on my computer and get my UO email for the duration. So how does it work when we’re abroad?
Not much different overseas, except if you’re visiting North Korea. It’s explained here: https://service.uoregon.edu/TDClient/2030/Portal/KB/ArticleDet?ID=108116
You. An use a UO issued token/fob instead of smartphone if needed. See more info link in article.
I use iPhone and it’s easy. Coworker has the token
The UO supports a hard token option and you can use a Yubico key. This is a small device you carry on your key ring and insert into your computer, pad, phone etc. Comes in several form factors so you can use a USB port, lightening or whatever. This is a thing you’d buy yourself unless your department is privacy aware and supplies it for you. The UO will provide DUO hard tokens but they’re trash.
Using your private phone number is a privacy risk – and you’ll see many big ID providers asking for a second factor – banks brokers social security –
This hey can and do use any phone data supplied as part of risk profiling and will run a credit check in some cases.
I got a bunch of Yubi keys and it’takes a bit of fiddling to set up the first time but it’s worth it. You can also lock your laptop with a Yubi key if you’re worried about security when you carry it around. Handy – the high end ones cost $70 but there are cheaper options