Information Technology Governance Committee (ITGC)

Letters to Community: Duo Memo


Rollout of Duo Authentication Service for Added IT Security – July 13, 2015

Vice President for Information Systems and Technology John Charles sent a letter to the MIT community about the rollout of the Duo two-factor authentication service, which will protect systems, services and accounts for which a password alone provides insufficient security. Duo enrollment for staff and affiliates will be linked to the annual certificate renewal process.

July 13, 2015

To Members of the MIT Community,

Due to ever-growing increases in computing power, information technology (IT) security breaches are now commonplace. The availability of sophisticated password-cracking tools means that even strong passwords can be compromised. Passwords are secure only as long as they remain secret and that, in turn, is based on their being transported and stored securely. Recent vulnerabilities in the Internet’s underlying encryption systems demonstrate the risk of depending solely on passwords. Incidents at Internet service providers have also shown that passwords can be compromised from within the systems where they are being stored.

Two-factor authentication is a security mechanism used to protect systems, services and accounts for which a password alone provides insufficient security. It is based on the principle of something you know (your username and password) and something you have (your cell phone or a hardware token). Users are first prompted to authenticate with their username and password; they are then prompted for a second authentication step using their mobile phone or other device.

Starting this fall, MIT will begin to require the use of a two-factor authentication service called Duo for systems and applications accessed through the Touchstone authentication service, administrative access to systems managed by IS&T or located in IS&T data centers, and remote access to the MIT VPN. Duo authentication will be required from wherever you connect, whether via direct connection to MITnet, VPN, or from a remote address.

Rollout of Two-Factor Authentication
IS&T will couple optional enrollment in the Duo service with the annual certificate renewal process. You will need to use Duo for:

  • Touchstone and web services authenticated through Touchstone (such as Atlas, Barton, and Stellar): staff and affiliates by September 30, 2015; students by Summer 2016
    Note: Details about the student rollout of Duo for Touchstone will follow in the future.

    You will be prompted for the second authentication factor as part of your sign-in to Touchstone; this authentication will remain in effect throughout your browsing session. You can also select the "Remember this device" checkbox, which enables Touchstone to maintain your two-factor authentication across browser sessions for 30 days.

  • MIT’s VPN Service: all community members by September 30, 2015

    You will be prompted for Duo’s second authentication factor every time you access MIT’s VPN Service.

  • Remote access to systems supported or managed by IS&T or located within IS&T data center facilities (administrative access): all community members by September 30, 2015

You will be prompted for the second authentication factor when using protocols such as Microsoft’s Remote Desktop Protocol (RDP) and Secure Shell (SSH) to access these systems.

Duo Availability
Community members are welcome to start using Duo immediately. To sign up, go to the MIT Duo Security Account Management page. Once authenticated, you may enroll your device and enable two-factor authentication.

To learn how to install and use Duo at MIT, see the Two-Factor Authentication with Duo page in the Knowledge Base. You may also want to check out Duo’s Guide to Two-Factor Authentication. If you have questions, contact the IS&T Computing Help Desk at or 617.253.1101.

Securing Sensitive Data in DLCs
IS&T strongly recommends that departments, labs and centers (DLCs) implement two-factor authentication using Duo or provide enhanced security measures for any systems used to manage or store sensitive data. Support and resources will be available from IS&T to help DLCs secure their locally managed systems. This includes any systems used to manage or store the following types of information:

  • Any data protected by Massachusetts regulations, which MIT has defined as Personal Information Requiring Notification (PIRN); examples include first and last names combined with social security numbers, driver's license numbers, financial account numbers, or credit card numbers

  • Any data that has legally or industry-mandated requirements with respect to its management and storage. Examples include student data regulated by the Family Educational Rights and Privacy Act (FERPA), medical information regulated by the Health Insurance Portability and Accountability Act (HIPAA), and credit card information regulated by the Payment Credit Industry Data Security Standards (PCI-DSS)

To meet this recommendation for securing sensitive data, DLCs can:

  • Use Duo two-factor authentication directly
  • Migrate systems to an IS&T Duo-enabled service offering
  • Provide other enhanced security measures
  • Opt not to store sensitive data directly on the DLC’s system

IS&T also strongly recommends that, effective immediately, DLC-hosted systems be secured using two-factor authentication for remote access, thereby aligning IS&T and DLC remote access requirements across MITnet.

These changes will aid the Institute in better securing MIT’s IT environment.


John Charles