Update: All Students Req'd to Use Duo

As announced before the start of the Fall 2022 semester, DoIT is proceeding with enrolling all students in the campus' Duo multi-factor authentication (MFA) account security service by the end of the 2022-23 academic year. This includes graduate students, but since many are also employed as graduate or research assistants, they are automatically enrolled as employees. However, to manage potential support issues, and learn from the wider rollout, DoIT has been proceeding with a phased approach focusing on undergraduates starting last month.

Specifically, with dean and chair approval, and review by shared governance groups, DoIT reached out to and/or enrolled 1,053 Information Systems majors in January (about 5% self-enrolled after receiving two messages linking back to DoIT's 8/22/22 announcement with related FAQs). The rest were automatically enrolled on January 17, 2023, similar to how Duo was rolled out for all employees. Then, after the start of Spring 2023 classes, DoIT adopted the same approach with ~2k Computer Science/Electrical Engineering majors, enrolling those who had not done so voluntarily on 2/14/23.

Why Now?

1. The move to an online portal by Retriever Integrated Health for student health information. This information can be highly sensitive and needs second factor protection. 
2. The Department of Education Financial Student Aid requirements now dictate as of June 2023 we work to meet new security requirements aligned with NIST 800-171, which requires stronger authentication practices such as Duo.
3. Targeted phishing email attacks to steal student credentials. Students regularly get their account password compromised in phishing emails telling students they have to login using their UMBC email. The MFA provides the added protection so those accounts can't be used for further attacks on UMBC or other students.

While any student can self-enroll now, it is important to reach out to all students when they are more likely to access -- and still control --their account used in many UMBC IT systems. For example, relatively more CS/EE students self-enrolled in Duo during this semester than IS students two weeks before it. As such, pushing off the student requirement to winter or summer doesn't really address the fundamental problem of securing thousands of student accounts, lest they become unwitting victims and targets of bad actors.

Duo addresses several critical security issues for students. Each year we see a growing trend of student accounts being compromised, this often results in them losing access to their account through identity theft, or losing money through various scams. "In 2022, DoIT Security reset passwords for over 1000 undergraduates and several hundred graduate students because of known or suspected compromises," according to Andrew Smith, Director of Information Security. In most cases, having Duo would stop these incidents and protect the students.

Lessons Learned So Far

There is one key difference in how Duo is being rolled out for 10k students vs. 3k employees: The Call Me function (available to employees) is not available for students because it is not considered best practice and can be abused by hackers. Also, DoIT does not want to encourage students to be taking a call in class to authenticate into Blackboard or another IT system. 

This means students can only use their mobile devices, preferably with the Duo mobile app, or to receive text-messages with a one-time login code. Alternatively, if students don't have a mobile device they keep with them, they can use a hardware token available through the DoIT Technology Support Center. 

"Unfortunately, with the IS and CS/EE rollout, we have seen a few students mistakenly enroll a landline -- even when selecting the "mobile phone" option -- which will effectively lock them out of their account because landlines cannot scan the QR code to activate the Duo Mobile app or receive SMS passcodes," says Andrea Mocko, Manager of DoIT's Technology Support Center (TSC). "However students choose to authenticate, one best practice is to enable the remember me for 30 days option, which will minimize frequent authentication prompts."

Next Steps

With ~3k students enrolled, lessons learned from the IS and CS/EE rollouts, and the remaining number of undergraduates to be enrolled before the end of this academic year, DoIT will begin reaching out to and/or enrolling students by number of credits earned who aren't already enrolled in Duo(see below):

Note: DoIT is prioritizing seniors nearing graduation last given they will be leaving the institution shortly and likely will not be registered in large enrollment, introductory courses with final exams in Spring 2023, which DoIT does not want to interrupt.

To learn how to activate Duo today, visit my.umbc.edu/go/duo.

• More Information about Update: All Students Req'd to Use Duo