Model for Decision Making
Meeting Agendas and Notes
Letters to Community
Rollout of Duo Authentication Service for Added IT Security – July 13, 2015
Vice President for Information Systems and Technology John Charles sent a letter to the MIT community about the rollout of the Duo two-factor authentication service, which will protect systems, services and accounts for which a password alone provides insufficient security. Duo enrollment for staff and affiliates will be linked to the annual certificate renewal process.
July 13, 2015
To Members of the MIT Community,
Due to ever-growing increases in computing power, information technology (IT) security breaches are now commonplace. The availability of sophisticated password-cracking tools means that even strong passwords can be compromised. Passwords are secure only as long as they remain secret and that, in turn, is based on their being transported and stored securely. Recent vulnerabilities in the Internet’s underlying encryption systems demonstrate the risk of depending solely on passwords. Incidents at Internet service providers have also shown that passwords can be compromised from within the systems where they are being stored.
Two-factor authentication is a security mechanism used to protect systems, services and accounts for which a password alone provides insufficient security. It is based on the principle of something you know (your username and password) and something you have (your cell phone or a hardware token). Users are first prompted to authenticate with their username and password; they are then prompted for a second authentication step using their mobile phone or other device.
Starting this fall, MIT will begin to require the use of a two-factor authentication service called Duo for systems and applications accessed through the Touchstone authentication service, administrative access to systems managed by IS&T or located in IS&T data centers, and remote access to the MIT VPN. Duo authentication will be required from wherever you connect, whether via direct connection to MITnet, VPN, or from a remote address.
Rollout of Two-Factor Authentication
You will be prompted for the second authentication factor when using protocols such as Microsoft’s Remote Desktop Protocol (RDP) and Secure Shell (SSH) to access these systems.
Securing Sensitive Data in DLCs
To meet this recommendation for securing sensitive data, DLCs can:
IS&T also strongly recommends that, effective immediately, DLC-hosted systems be secured using two-factor authentication for remote access, thereby aligning IS&T and DLC remote access requirements across MITnet.
These changes will aid the Institute in better securing MIT’s IT environment.