Multi-factor Authentication Policy

Caltech is taking steps to improve security for our email and file services, by requiring use of Multi-Factor Authentication (MFA) on all campus Microsoft Office365 accounts and other critical applications. Many campus personnel are already using MFA now when logging into campus systems or services.

What is MFA?

Authentication, both online and in the physical world, normally consists of at least one of the following "factors":

• Knowledge: something you know (e.g., a password or code)
• Possession: something you have (e.g., a physical key or a card)
• Inherence: something you are (e.g., the person with a particular set of fingerprints or facial features)

Traditional online authentication only requires a single factor, usually a username and password combination that the user knows. MFA combines that factor with at least one other, such as a physical hardware token ("something you have"). MFA is sometimes also referred to as two-factor authentication, but it is not necessarily limited to just two.

Why are we requiring MFA?

Authentication systems that are based on usernames and passwords are increasingly proving to be inadequate for protection of online resources and the data that they process or store. Passwords for campus systems are subject to a wide variety of attacks, ranging from simple repeated automated guessing to theft via sophisticated impersonation schemes such as those used in phishing scams.

MFA using Duo Security is convenient and greatly reduces the likelihood of successful unauthorized access to a protected account, even if an account's password is already known to an attacker. For Office365 access including email, Sharepoint, OneDrive and Teams, users are prompted to approve their login with the Duo Mobile app or by entering an approval code about as often as you are currently prompted to enter your password alone: i.e., whenever accessing the service from a new device, web browser, or software application.