Recently, students have been reporting issues when attempting to use UT’s two-factor authentication system, Duo.
UT has been using a two-factor authentication for the past six years in a variety of areas. Upon enforcing the use across campus last fall, UT assessed other two-factor authentication systems.
Systems such as Duo aim to add an additional step for user identification during the login process. Ideally, this would make it more difficult for cyber-attacks to occur against online users and would ensure a greater sense of online security.
Specifically, on campus, Duo is the system that UT chose to facilitate two-factor authentication for their campus-affiliated users. Use across campus became mandatory in the fall semester of 2019.
According to Bob Hillhouse, OIT’s associate chief information officer and chief information and security officer, Duo met the necessary requirements to achieve the reduction of “the risk of data compromise (both personal and institutional data).”
As of last Thursday, March 26, OIT became aware of a problem involving how users are synchronized into Duo, stated Will Richardson, IT Administration IV of UTK’s Office of Information Technology.
These issues became quite pertinent and concerning because sites affiliated with MyUTK credentials were synced to Duo’s authentication platform.
The issue was not intermittent and did not discriminate in who was affected. Users affected included approximately 2,000 enrolled in Duo, which is less than 0.02% of the system’s total users. Additionally, there was no pattern among users that was detected.
Because this issue did not affect all users at UT, OIT could not prevent or pre-empt the issue.
However, in order to prevent further issues for users already impacted as well as those not yet impacted, UT had suspended synchronizing users and did contact Duo for additional support, according to Joel Reeves, associate vice chancellor and chief information officer.
“Duo found an issue in their synchronization process. They modified their process and requested that we resume synchronizing our users with their cloud service. We resumed the process on Tuesday morning and the issue appears to be resolved,” Reeves said.
Additionally, upon determining a present issue among many users, OIT staff were advised on the how-to in addressing the issue manually.
However, the overall cause of the issue has yet to be determined, according to Hillhouse.
“We are waiting on a root-cause analysis from Duo,” Hillhouse said.
Once the root is known, a plan can be developed to avoid or reduce the chances of a repeating scenario.
Reeves suggested using controls such as two-factor authentication anywhere possible in order to ensure maximum security.
"Account compromise is a top vulnerability exploited by many who commit cyber crimes. This extra step goes a long way to minimizing the risk of such compromise to our institution and its students, faculty and staff," Reeves said.
Though this specific issue has been fixed and reports of issues has ceased, Hillhouse asks for patience with OIT as they work through arising issues.
"These are challenging times for all members of the university community. OIT is dedicated to maintaining the technology and ask for patience as we work through issues that arise," Hillhouse said.
If you experience any technological issues related to campus, whether they are related to the use of Duo or not, you may reach out to OIT’s help desk. Additionally, all issues related to Duo and two-factor authentication are handled by OIT when users reach out.