What is Multifactor Authentication and when do you have to enroll?

UC Riverside faculty, staff and students began getting the notices in recent weeks: Multifactor authentication is coming to the campus.

So, what exactly is it and what does it mean for you?

Multifactor authentication, or MFA, is an enhanced cybersecurity measure that all who access UCR’s computer applications will need to act on by April.

“If you receive a paycheck, you receive benefits, you will need to be enrolled in MFA,” said John Virden, chief information security officer for UCR’s office of Information Technology Solutions.

Users will now be required to provide a second verification method to gain access to certain UC applications after logging on through the Central Authentication Server.

That second credential can be a “push” notification or access code sent to your phone, an access code emailed to a non-university account or even, in rare cases, using a pager-like device to get an access code.

Phone with mfa alert — Smartphone users can approve MFA alerts by tapping approval.

Users can select from those choices when they enroll in the program.

“We’re trying to provide people with the options that work best for them,” said Rebecca Hutchins, communications and assessment manager for Information Technology Solutions, or ITS.

Smartphone users can download an app called Duo Mobile that will deliver push notifications or access codes. The push notification allows users to verify and access accounts with a simple tap.

The idea of MFA is to create a multi-layered approach that makes it harder to hack a computer system or access someone's personal data, Virden said. Even if a password is compromised, the hacker could not get into the system without access to the user’s smartphone or non-work email account, he said.

ITS is rolling out the implementation in stages, starting with the notifications of the new requirements in December. As of Jan. 29, it will be required for all faculty and staff who access sensitive data on ITS-managed systems. Then through February and March, it will be required for students using UC systems. By April 2, all faculty, staff and employed students who have access to UCPath should be enrolled.

“We didn’t want to be the campus to just switch the flip and force people to do it,” Hutchins said. “We wanted to give them options.”

ITS staff has been meeting with different campus groups to educate them about the implementation and encourage them to start enrolling.

As part of that effort, ITS will be holding an open house Jan. 22-24 from 11 a.m. to 2 p.m. at a booth near the Bell Tower. BearHelp team members will be on hand for in-person training on how to enroll.

MFA is being implemented throughout the entire University of California system based on the recommendations of the UC Academic Senate and its Committee on Faculty Welfare. Last year, the UC system had three cases of identity theft in which pension funds were stolen.

The committee recommended that all salary and pension information be placed “behind a wall with multifactor authentication.”

UCR alone faced more than 11,500 successful phishing attacks last year – or about 34 daily -- in which attackers sent a false email to users suggesting they update their passwords or click on malicious links. In such attacks, hackers can gain access to confidential passwords and/or download malicious software to the victim’s computer.

ITS staff can spend between 20 minutes to four fours dealing with a single attack, Virden said. With MFA, that number of compromised accounts would drop to almost zero, allowing ITS to devote its resources to helping the campus in other, more proactive ways, he said.

Users can manage their passwords and enroll in MFA at https://myaccount.ucr.edu. More information on MFA is available at an information page created by ITS.