Faculty + Staff

Q&A: What you need to know about multi-factor authentication for logging into your UCLA accounts

Learn how to enroll, why it’s more secure, where to get assistance and why UCLA is using it

|
Multifactor authentication
UCLA

On Oct. 31 all UCLA faculty and staff will be required to use a multi-factor authentication when logging into Bruin Online services.

UCLA is in the process of enrolling its campus faculty, staff and student workers in a multi-factor authentication, or MFA, process that will require employees to provide a secondary piece of information to verify their identity when logging into UCLA system resources.

Multi-factor authentication combines two or more independent credentials in order to gain access to a system. The goal is to make it difficult for any unauthorized person to gain access to a user's account. If one factor is compromised, such as a password, an unauthorized person would still need the other factor, like an access code, to gain access to the system. (More information)

One way people already use multi-factor authentication is going to the ATM, which requires a combination of a bank card (something a person possesses) and a PIN (personal identification number, something that the user knows).

UCLA has partnered with Duo, a downloadable app for smartphones, to provide MFA capabilities. Employees are asked to enroll by Oct. 31.

In this interview, which has been edited for brevity, Andrew Wissmiller, associate vice chancellor for information technology services, explains why this is happening, how to enroll and methods to protect against cyberattacks.

Why is multi-factor authentication important?

Multi-factor authentication is a security technique that adds extra protection when you’re logging into online accounts. Our past practice has been to use passwords to secure our accounts but current experience shows that passwords no longer provide adequate protection. Due to the increasing number of accounts that have been compromised globally and locally, there is a black market for buying and selling user IDs and passwords. Technology also exists to break just about any password through brute force or other techniques. If an individual’s account becomes compromised it provides an unauthorized entry that puts our systems and other users at risk, so it’s not just a single person that is impacted.The potential for attackers to move laterally throughout a network and systems can be a serious problem.

Why are we doing this now?

We have seen an increase in the number of phishing and spear phishing attempts directed toward our faculty and staff. The easiest way to hack an account is to trick someone into giving you their password. A cybercriminal doesn’t have to spend a lot of time and energy cracking a system or bypassing security if they can login using your credentials. As security controls have tightened up, cybercriminals are increasing the use of compromised credentials as an attack method.

How do I enroll?

Instructions for enrollment are pretty straightforward and are designed to provide flexibility, depending on how you choose to access your accounts. You simply enroll and the next time you log in using UCLA Logon it will prompt you for a push to your mobile phone or your landline or whatever device you are using.

You have a lot of flexibility in terms of setting it up the way you want. We find the cell phone is the easiest and most convenient way to use MFA, but if you don’t have a cell phone, you can definitely set up by registering your office or home phone line, or both, or using a token.

For those who work from home, at times, you can go to the enrollment page and add your home phone. We suggest that people have two or three mechanisms, so if your cell phone is out of power, for example, you have another way to receive the required push notifications. You can add to or modify how you get notifications over time. You can also generate 10 text codes that can be used over time. You can just tuck them away and use them when needed. It will recognize those codes and let you login.

How long does it take to enroll?

It takes about five minutes. It’s very simple in terms of downloading the Duo app, enrolling your phone and completing the few short steps it takes to set it up like you want.

Why do we have to download an app?

You only need to download the app if you plan to login to your UCLA accounts using a mobile phone or tablet. The app we have chosen, Duo, is free to download, cost-effective for the campus, proven and commonly used in higher education environments. At UCLA, we are providing single sign-on and MFA protection for more than 700 campus applications.

[Editor’s note: for users who don’t want to download the app or don’t have a smartphone, there are other options, including receiving text messages.]

What happens if I don’t enroll by Oct. 31?

After Oct. 31, when you attempt to logon the system will let you sign in, but rather than take you to what it is you’re logging into, it will give you a notice that you have not logged in and you need to enroll. You then enroll and it will let you proceed with what you were trying to do.

What if I don't want to enroll? Is it possible for me to avoid this?

No. You must enroll.

What if I try to enroll, but I need help?

There are many options for assistance. Departmental IT groups are available to work with faculty and staff. Alternatively, you can go to our webpage for additional information, call the Bruin Online help desk at 310-267-4357 or go into the Bruin Online office, located at Kerckhoff Hall, Suite 124. If you need help, it’s available. One-on-one faculty and staff support is also available. And of course, it’s better to take care of this as soon as possible. Don’t wait until the last minute.

Is it just UCLA campus employees who have to enroll in multi-factor authentication?

No. On campus, we are starting with employees first; however we will soon require the same of all students and alumni with UCLA accounts and essentially anyone who uses UCLA online resources — including retirees. Enrollment won’t be required for those trying to access public content, but if you are using an application that requires a UCLA login it’s important to protect that. In addition, UCLA Health is working on a multi-factor authentication process for its employees. It is on a different timeline, but is in progress.

What has the response been so far?

We’ve had an amazing amount of support from faculty and staff who are endorsing this move, which is welcome. To date, more than 17,000 individuals have enrolled.

How can I help protect myself and UCLA from cyberattacks?

It really comes down to being aware in terms of clicking on links, opening attachments and not responding to suspicious requests that ask you to enter your ID and your password. No legitimate organization is going to ask you for that.

If you receive an email that you believe may be a phishing or spear phishing scam, please report it to IT Services immediately. The sooner we know about it, the sooner we can work to shut it down. I also recommend that members of the UCLA community empower and protect themselves at work and at home by reviewing UCLA’s cybersecurity resources and attending training events.

Media Contact