Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) at RIT

RIT is providing Multi-Factor Authentication to selected RIT information resources. All RIT faculty, staff, and students are affected.

What is MFA?

MFA (Multi-Factor Authentication) is a way of ensuring that only you are able to access your accounts. Rather than just using a username and password, you provide a second "factor" to prove it is really you who is accessing your account. For RIT accounts that second factor is provided by Duo. The additional factor may be a number that you receive as a text message, a code that appears on an app, or a phone call. 

Multi-Factor Authentication is more secure than just using a password and is becoming more common. Many universities and colleges around the world are moving to Multi-Factor Authentication. Many of you already use some form of Multi-Factor Authentication when logging into your personal banking accounts, social networking accounts, and even Gmail.  

How does RIT provide MFA?

We will be using a Multi-Factor Authentication service provided by Duo. When specific RIT applications are converted to Multi-Factor Authentication, you’ll be required to provide an additional “factor” to log in to that application. The prefered factors are the Duo mobile app or a text message. There is also an option to have a token (fob) that generates the factor or even to tie that additional factor to your desk phone. 

Which RIT applications use MFA?

MFA is currently required by a number of RIT applications including eServices, myCourses, myInfo, myLife, and Peoplesoft. MFA is in the process of being rolled out to additonal RIT applications. 

Why are we moving to MFA?

We are moving to Multi-Factor Authentication because it will better protect both your and RIT’s information.

During the 2017-18 academic year, several RIT people had their myBiz/eBiz/myInfo accounts compromised through phishing attacks. Using the compromised accounts, the attacker changed direct deposit bank account numbers so that funds from the RIT employees’ paychecks would have been deposited into someone else’s account. (No one at RIT lost any money, because the Controller’s office began monitoring direct deposit bank account number changes after another university was attacked (and lost money) a couple of years ago.) With Multi-Factor Authentication, even if someone surrenders his or her password in a phishing attack, the attacker will not be able to login to any RIT applications that use Multi-Factor Authentication.

Additional Resources

The ITS Service Desk (585-475-HELP) will be your point of contact for any problems or questions about MFA and Duo. 

For more information

Duo video explaining MFA (2FA)

ITS how-to information for MFA