The UNE Multi Factor Authentication (MFA) project is being delivered as part of the Cyber Security Rapid Uplift Program (RUP) to address the growing vulnerabilities that the continued use of passwords presents. Recent experiences have shown the need for this improved security control is an essential part of the broader UNE program.
Background to Multi Factor Authentication
Passwords are a known weak point in any organisation’s cyber-security armoury of security controls. These are now one of the first points of entry a ‘hacker’ will target, either through simple social-engineering (convincing users to share their passwords), or through the use of sophisticated ‘tools’ that are freely available. These will crack even the most complex passwords.
This is becoming a lucrative business stream for those persistent cyber criminals, selling cracked passwords on the ‘dark web’. The greater the level of access, the higher the value.
Multi Factor Authentication was defined some 20 years ago to address this problem. However, technology differences and cost have slowed take-up…until now. This is now on the security agenda for most organisations globally, and forms one of the Australian Cyber Security Centre’s Essential 8 security controls.
What is MFA
Multi Factor Authentication, as the name suggests, is based on the principle of having more than one way of verifying a person’s identity. This follows the concepts below.
A combination of any two out of the three factors will service to improve the level of confidence that the person requesting access is who they say they are.
The UNE Approach
UNE has selected the Cisco Duo service. This is one of the most widely used MFA services globally and is recognised for its simplicity in implementation and use.
Registration of a user is a self-service function. If a user is Duo authorised and the application they are requesting access to is Duo enabled, they will be prompted to complete a simple registration form. This is the only time they will be requested to do so.
Once registered, when a user requests application to a UNE (Duo enabled) application, they will be prompted for their identity and then requested to confirm it was them requesting access using a smartphone App. Alternatively, they may be requested to enter a code from a hardware token they will need to carry separately.
Next Steps
During October, trial of two applications selected based on risk to business and impact during initial implementation will be undertaken. Technological & Digital Services (TDS) is to be initial user group as technical subject matter experts to identify and iron-out any bugs. The Senior Leadership Team (SLT) is to follow as next user group. A full deployment schedule will be defined during the trials.
During this period, Duo capabilities will be fully exercised including system connectivity failures, lost or failed tokens etc. prior to deployment across UNE. This will ensure:
- Identified failures will have been corrected
- Exception processes documented in a knowledgebase
- Communications and training programs developed
- Operational and Support procedures developed
- Learnings are fed back to Project Team for improved deployment across UNE
What does Success Look Like
The trial will identify a number of User Stories to determine if the project is successful. These will measure, amongst other things:
- Reduction in risk to UNE through password compromise.
- Seamless and simplified access to applications and systems.
- Reduction in support overhead
Beyond the trial, the project will continue to develop. This will include:
- Introducing a Single Sign On capability using Duo capabilities across all UNE systems – authenticate once.
- Ability to prompt for additional authentication for more sensitive applications or access from insecure locations.
- Integrate with Privileged Access Management to protect those more sensitive user accounts that protect the UNE business and operational
Questions and comments can be sent to Stewart Hayes on shayes31@une.edu.au