Two-step verification method for Workday provides extra security against phishing attempts

Written by: 
Emmalee Smith

The Duo Security system, known as Duo Mobile, was implemented on Oct. 11 for all employees of BYU-Hawaii as a response to a rise in phishing attacks and as a way to further secure Workday accounts.

Jeff Strain, the enterprise information services director at BYUH, said the main reason behind more security is the increase of phishing attacks, which is a form of social engineering he has noticed an increase in over the past year and a half.

Security Through Education, a website focusing on social engineering, says phishing attacks are specifically done by hackers who send out emails that look like reliable sources to try to influence or obtain your personal information.

Strain was in charge of implementing the program. He said, “The university’s website was never hacked,” but individual members’ accounts have been compromised.

He said there was an email directed to faculty that looked like it was from President Tanner. The email asked them to log in to a site with their university account information like their BYUH username and password.

Apparently, Strain said it looked so legit that some fell for it, and it took a lot of convincing for some to understand it wasn’t real.

He said the Multi Factored Authorization (MFA) system was already adopted by BYU and BYU-Idaho, so BYUH is just following along.

BYUH sudents described the additional security to as useful but wanted more explanation on what the new system is and why it was put in place. Fubo Hou, a junior finance major from China, said he wishes the school “sent more information on the app.” He was unaware that he would need to fill out information or download an application and thought it was some kind of hacking.

Roche Donato, a freshman from Qatar majoring in exercise and sports science, said the app is better for safety reasons and it’s easy to use. “You don’t really do much, you just follow the buttons.” However, Hou stated the app was too time consuming.

Roche did agree it would have been more useful to him if there was an introduction to the new security. He said he ended up asking his boss about it.


Duo Mobile app

Duo requires a two-factor authorization to log on to BYUH systems. There are different authorization methods, including the recommended way through the mobile app.

According to Duo’s site, once the app is set up its purpose is to simply send you a login request every time you log in to your BYUH account, which you can deny or approve.

The two-step authorization is meant to notify and give you the decision of when and whether or not someone can log onto your account. The app works for iPhones, Androids and Windows devices.


Text messaging

Strain said you can also be sent a “batch of five,” meaning it will send out five different codes to your device, which he recommended you print out and put in your wallet for safekeeping. A code can be used once, and he recommended you cross them off one by one until all codes are used.

He said if you do not have a mobile device, you can set up text messaging through your email so the codes will be sent to your email instead.


Landlines and U2F tokens

It can be authorized through phone calls from a landline phone or through U2F tokens, according to Duo. U2F tokens are special devices used as USBs, sometimes with wireless ability, that are able to authorize your login.

Date Published: 
Wednesday, November 1, 2017
Last Edited: 
Wednesday, November 1, 2017