MFA: Multi-factor Authentication and USNH Systems

Summary

This article provides a broad overview of Multi-factor Authentication (MFA) and how it is used to secure USNH Systems. This is meant for all USNH students, staff, and faculty.

 

Content

Multi-factor authentication (MFA) is used to ensure that digital users are who they say they are by requiring that they provide at least two pieces of evidence to prove their identity. Each piece of evidence must come from a different category: something they know, something they have or something they are.  

If one of the factors has been compromised by a hacker or unauthorized user, the chances of the other factor also being compromised are low, so requiring multiple authentication factors provides a higher level of assurance about the user’s identity. 

 

What are the benefits of multi-factor authentication? 

Passwords are the most common way to authenticate your online identity, but they increasingly provide very little protection. Once a password is stolen, hackers can use those credentials to log into many applications and USNH business systems, bypass other access controls and wreak serious havoc on our campus operations. 

 Multi-factor authentication provides a layer of protection for both employees and students that addresses these weaknesses. It diminishes the ripple effect of compromised credentials; a bad actor may steal your username and password, but if they’re prompted for another factor before they can access critical data, make a transaction or log into your email, they are stopped in their tracks. 

MFA can also be a key requirement when it comes to complying with certain federal or industry regulations. For example, several federal governing bodies are now, or soon will be requiring MFA be implemented in certain situations to prevent unauthorized users from accessing systems that process payment transactions, contain financial or FERPA or HIPPA protected information. It’s also a key part of meeting strong authentication requirements dictated by recent changes to the GLBA safeguards and is requirement for USNH institutions to receive grants via several federal entities such as the Department of Defense (DOD).   

 

How does multi-factor authentication work? 

A user's credentials must come from at least two of three different categories, or factors. Two-factor authentication, or 2FA, is a subset of MFA where only two credentials are required, but MFA can use any number of factors.  In short, something you know, something you have, and something you are. 

Something you know (knowledge) The most common example of this factor is, of course, the password, but it could also take the form of a PIN, or even a passphrase--something only you would know. 

Some organizations may also set up knowledge-based authentication like security questions (e.g., "What is your mother's maiden name?"), but basic personal information can often be discovered or stolen through researching social media sites and phishing which makes it less than ideal as an authentication method on its own. 

Something you have (possession) It's much less likely that a hacker has stolen your password AND stolen something physical from you, so this factor confirms that you are in possession of a specific item. This category includes mobile phones, physical tokens, key fobs and smartcards. 

There are a few ways that this authentication works, depending on the item, but some common methods include confirming via a mobile app or pop-up notifications from your mobile phone, typing in a unique code generated by a physical token, or inserting a card (e.g., at an ATM). 

Something you are (inheritance) This factor is commonly verified by a fingerprint scan on a mobile phone, but also includes anything that would be a unique identifier of your physical person--a retinal scan, voice or facial recognition, and any other kind of biometrics. 

 

MFA in practice at USNH 

In the USNH computing environment, Enterprise Technology & Services is currently using the “Something you know” and “Something you have” methods of MFA for many of its systems and services -- especially where users may be accessing personal, financial, FERPA or HIPPA protected data.  MFA is also in place for the password management tool, the campus VPN and our ERP systems. 

Additionally, ET&S has begun enabling MFA for USNH M365 applications and email.  As adoption of OneDrive and SharePoint become the standardized methods for storing and sharing documents and data across the University System, the additional level of security that MFA affords in this environment will help ensure that our business records and research are protected from loss or theft.   

 

Further Readings

MFA: Setting up Multi-Factor Authentication (MFA) for M365

MyAccount: Updating Security Info for password recovery and MFA verification

 

Need additional help?

Visit the Technology Help Desk Support page to locate your local campus contact information or to submit an online technology support request.  For password issues you must call or visit the Help Desk in person

Print Article

Related Articles (1)

This article provides basic recommendations for USNH approved YubiKeys. This article is intended for USNH faculty and stuff and holds the USNH recommended MFA hardware tokens.