Multi-factor authentication, or MFA, is a security measure that requires anyone logging into an account to use a two-step process to verify their identity.

MFA ensures that it is twice as hard for someone to access your online account without authorization. When it is available, always turn it on because it is not only easy to use but incredibly effective. Data shows us that over 99% of account hacks could have been prevented by use of MFA. Some examples of MFA can include an extra Personal Identification Number, answering security questions, a code emailed or texted to you, facial or fingerprint recognition, and more.

CU System uses Duo for multi-factor authentication, a core component of CU's identity and access management policy and cybersecurity strategy. You've already been using MFA every time you use Duo to access the VPN or specific applications. If your username and password were compromised, someone would still need to gain possession of your phone to verify the second factor of authentication. And, because CU System uses Smart MFA, the number of times you have to authenticate using Duo is greatly reduced.

What is Smart MFA?

As more and more applications require Duo verification to access, UIS is exploring secure options to reduce the number of times users must authenticate. 

Adaptive authentication, also known as Smart MFA, analyzes additional factors when a user attempts to log in and assigns a level of risk associated with that login attempt. For example:

• Where is the user who is trying to access information? Is the location different than normal?
• When are they attempting to access information? Is it during regular hours?
• What kind of device are they using? Is it different than the one they normally use?
•  Are they on a private network or a public network?

Depending on the risk level calculated, the user may be prompted for an additional authentication factor, such as using Duo. Over time, as your device, location and timing are determined to be low risk, you may find that you are being required to authenticate less often.