Over the last year, IT across Carnegie has been working on proactively improving our digital security. With the repeated news breaches of on other sites and services exposing user passwords, and the reality that people re-use their passwords across multiple sites and services, mitigating the potential use of compromised passwords has been a high priority for Carnegie. To mitigate this risk, we're implementing Duo 2-factor authentication for all remote access services.
Duo does not replace nor required you to change your username and password. Duo adds an extra layer of security on top of your current credentials (a 2nd authentication "factor"), ensuring that access is granted not only based on what you "know" (a password), but also based on what you "have" (a device). Initially, we'll be providing Duo accounts to known existing users of our VPN and SSH service, with additional accounts provided at a later date.
Enabling 2-factor authentication will also require us to deploy a new VPN solution. Our existing VPN, an IKEv2 VPN, does not have the built-in capability to handle multiple authentication factors. As a result, we'll also be deploying the same VPN system used at other Carnegie departments: Fortinet's FortiClient VPN.
We'll be rolling out Duo on the following schedule:
- Invitations to setup Duo: Monday May 7th
- Duo required for SSH Gateway: Tuesday May 8th
- Rollout of new VPN w/Duo 2FA: Tuesday May 15th
Please feel free to send us any questions or concerns you may have.