Multi-Factor Authentication


WSE IT’s Multi-Factor Authentication Overview

A growing number of systems at JHU are now using multi-factor authentication, which is sometimes called MFA, two factor, or step-up authentication. Examples of systems that already use MFA are your online W2 and Employee Self Service (ESS) in myJH, the new VPN client, and your webmail, when traveling internationally.  Often, it will look like this in your web browser.  You will first be prompted to enter your normal JHED and password, but then will be prompted to either provide some additional information or to click a button in an app on your cell phone (or even on your smartwatch!).

For those with smartphones, this push notification to the authenticator app is probably the easiest method, but there are different types of MFA at Hopkins, including time-based generation of numbers and text message alerts.  In all cases, the extra authentication acts as a second password for your account, and because each use of MFA is a unique occurrence it provides a very high level of security because it can’t be reused if it is stolen.

Though the IT@JH documentation does a good job at step-by-step instructions, it can be hard to find and doesn’t provide context-specific for the WSE community.  This page tries to tie together the how-to instructions with the bigger picture.

Sections

I HATE Multi-Factor Authentication

We know, but it’s important.  Passwords, because they’re easy to guess — or steal — are basically obsolete for anything that you really care about. You need to care about your JHED account because it has access to sensitive information like your payroll information, financial and student information, your email, and so on.

Adding a time-based single-use second factor adds considerable protection to your account — in addition to a password, which tends to be static and can be compromised in many ways, a time-based password like the MyIT Login Code becomes useless after a minute.  This makes most traditional hacking techniques ineffective against your accounts.

It Doesn’t Have to be Painful

Using the MyIT Login Code doesn’t need to be painful.  Historically there has been an emphasis on using SMS messages for these codes, but that’s frustrating.  You don’t want to have to type to use the codes, and when traveling it can be expensive or impossible to get an SMS message.  The smartphone app just needs a data connection to get the push notice – when traveling, you don’t need to worry about having SMS service.  Just hit a button on your lock screen and you’re done.

How to get started

This video shows how to get the app configured for your smartphone.  You can click here to enroll (this is the link mentioned in the video).

Is convenient also secure?

Convenient is also probably secure, in this case.  Certainly more secure than a password alone.

  • Without a time-based passcode, bad actors have it pretty easy to hack your password.  They can make a lot of guesses at it over time using automated tools that are shockingly good at password guessing.  Further, if a password you use on more than one site is compromised, the extra passcode would keep them from reusing the stolen password on Hopkins systems — they’ll get past the password but won’t be able to guess the time-based passcode.
  • The MyIT Login Code expires every minute, so even if your JHED password and login code number were stolen (by a keylogger program, or through an insecure network) attackers still won’t have access to your data.
  • Systems that rely only on SMS have been compromised many times. The bad actor just convinces your carrier to move your cell phone to their device and they’ll start to receive your messages.  That transfer doesn’t affect the push messaging for the MFA apps.
  • If your phone is lost or stolen, reset your secret key along with your password when you get a device.