Securing Authentication at NIU
Before SSPR was implemented at NIU in November 2017, the Division of Information Technology (DoIT) performed approximately 20,000 password resets over the phone each year at a cost of close to $120,000/year. The Microsoft-based SSPR asks for alternate contact methods (text to a phone; call to a phone; non-NIU email address) and then when you need to change your password or if you've forgotten it entirely, SSPR uses one of your stored contact methods to assist you.
The new SSPR functionality should have resulted in a large amount of cost savings for NIU, but the Service Desk still processes password resets for many who may not have completely or accurately added alternative contact methods. This is costly, but perhaps more importantly, the validation of identity over the phone presents a security risk. Asking for a name, NIU Account ID, a birthdate, or even the last four digits of a Social Security Number is no longer a best practice to validate identity when so many of these data elements are easily discoverable by bad actors.
For these reasons, the IT Service Desk will cease performing password resets over the phone in March 2019 for currently employed faculty/staff and enrolled students who already have access to SSPR. We will, of course, continue to reset passwords in person at our Technology Support Desk in Founders Library or in rare circumstances where an in-person reset presents an undue burden in comparison with the security risk of a data breach.
Multi-Factor Authentication (MFA): Coming to Faculty and Staff in February 2019
MFA helps safeguard access to data and applications. As the name suggests, a multi-factor solution uses at least one factor from two or more categories to validate whether an individual’s identity can be confirmed. Generally, the categories are:
- Something you know - a password, the answer to a security question, a birthdate
- Something you have – a number sent to a cell phone, a validation link sent to a secondary email address, a key to a lock
- Something you are - a fingerprint, voice recognition, or facial recognition
In practical terms, asking for a password and a birthdate is not adequate because both of these things are something you know and therefore susceptible to a single data breach into a system that stores this information. On the other hand, asking for a password along with a unique and one-time code sent to your cell phone is true multi-factor authentication.
Why do we need MFA?
Identity theft is an easy, low-risk, and high-reward crime. According to Verizon’s Data Breach Investigations Report in 2018, weak or stolen user credentials are used in 95% of all web application attacks. And it’s not just about data theft: hackers also destroy data, change programs, and use servers to transmit spam or malicious code. Anti-virus software and advanced firewalls and detection/prevention systems are necessary security elements, but if user authentication is compromised, then we have just unlocked and opened our front door to intruders.
How does MFA work at NIU today?
In late 2016, the IT Steering Committee that governs the Division of Information Technology’s (DoIT’s) project work approved an effort to implement an MFA solution across campus that would reduce the number of compromised accounts, roll out self-service password resets (SSPR) , and achieve compliance with a number of federal and state laws that actually require MFA for security and privacy protections.
Since then we have implemented SSPR for all faculty, staff, and students (password.niu.edu) and MFA for students who log in to systems that authenticate via Microsoft’s Azure Active Directory (AD) environment. This includes the entire Office365 suite (email, calendaring, OneDrive, SharePoint, etc.) and Blackboard. While enforcing MFA for students drastically reduced the number of compromised accounts and resulting spam in NIU’s O365 environment, the risk of an information security and data privacy breach still remains.
What are the next steps for MFA at NIU?
The next MFA implementation will include faculty and staff who log in to Office365/Outlook, Blackboard, and our secure VPN service (secure.niu.edu) for heightened privileges to private or restricted data.
The good news is that Microsoft’s Azure AD environment will soon combine MFA and SSPR into one user portal (https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-converged) making it easier to enter and change a cell phone number and a personal email address both to authenticate from off-campus and to reset one’s own password.