The Disease

The FBI tells us that the K–12 education segment is the No. 1 target for ransomware and makes up the majority (63%) of all ransomware attacks in the world. The average cost of a ransomware attack is right at $3 million.

The Effects

According to a recent NBC news article, “Most students don’t have bank passwords. Few have credit scores yet. And still, parts of the internet are awash in the personal information of millions of schoolchildren. … Some of the data is personal, like medical conditions or family financial statuses. Other pieces of data, such as Social Security numbers or birthdays, are permanent indicators of who they are, and their theft can set up a child for a lifetime of potential identity theft.”

Transmission

The number one method of spreading ransomware is through phishing (fraudulent email that tries to get individuals to reveal personal information). In a recent phishing attack at DISD, over 300 users were compromised in the first couple of hours after the phishing email was received.

Protection

The latest issue of Ed Tech magazine says “Two-factor authentication—also called multifactor authentication—is the best way to prevent phishing attacks from turning into data breaches.” Additionally, CIO magazine reports that “Without the security benefits of MFA (Multi-Factor Authentication), an attacker only needs compromised user credentials to gain system access (single-factor authentication).”

DISD is implementing MFA using a product called DUO from our network infrastructure vendor, Cisco. DUO is an app that installs on your phone and ensures the MFA process can be completed with a single click which can be set to only ask once every other week. For the sake of safety, there is no opt-out from MFA.

Concerns

Since there will be concerns about privacy regarding a phone app, the one detailed piece of information we would like to share in more detail is regarding privacy on the app. This is from Cisco’s DUO website:

Duo Mobile cannot see your user data like your contacts, it cannot read your text messages, it cannot access your photos (but it can use your camera to scan a QR code if you explicitly allow that permission), it cannot access your files, it cannot erase your device, it cannot see information about other applications on your device. Duo Mobile cannot track your location. In general, the only personal data that Duo Mobile knows about you are the service accounts that you explicitly add to Duo Mobile. However, we do not track any personal data about these accounts -- only the name of the service.

The app knows “Device state data” such as what type of phone and what version of OS you’re using on the device. This is simply to make sure the device is compatible.

More Information

All of the details about DUO can be found at https://guide.duo.com/.

Glossary

2FA (two-factor authentication):  an additional layer of authentication beyond a username and password. 2FA involves something you know (password) plus something you have with you (like Duo Mobile on your smartphone) to prevent someone from logging in with only your password. With Duo 2FA, you still enter your username and password. The second factor provided by Duo is simply an added layer of security on top of your existing credentials. We recommend using Duo Push via the Duo Mobile app to perform 2FA.

Duo Prompt:  this interactive prompt lets you choose how to verify your identity each time you log in (e.g. “Duo Push” or “Call Me”) to a web-based application. The Duo Prompt allows you to enroll and authenticate.

Passcode:  these are numeric codes that can be generated either via the Duo Mobile app, SMS (text message), or a hardware token, depending on what your IT administrator permits. Passcodes may be used at any time and are particularly handy for authenticating when your 2FA device doesn't have internet or cellular service.

Push Notification (Duo Push):  a push authentication request that is sent to the Duo Mobile app on an enrolled device. Push notifications include information like the geographical location of the access device, IP address of the access device, and the application being accessed so you can verify whether the push is real or fraudulent.

Self-service portal:  if the self-service portal has been enabled for use in the Duo Prompt, you can click “My Settings & Devices” to add additional devices or update authentication method settings right from the Duo Prompt.

Frequently Asked Questions

Below are some key questions end users commonly have. Depending on your organization’s specific applications and configuration, some questions may need editing or can be omitted.

Do I need a smartphone or data plan to use two-factor authentication?

No. Having a smartphone makes for an easier and more secure experience with Duo Push. However, if your organization permits it, it is also possible to enroll a non-smartphone mobile device or landline to receive SMS passcodes or phone calls.

** Keep in mind if you select your Cisco classroom phone, you will only be able to authenicate from that phone.  

What is Duo Mobile?

Duo Mobile is a mobile application (app) that you install on your smartphone or tablet to generate passcodes for login or receive push notifications for easy, one-tap authentication on your mobile device. It works with Duo Security’s two-factor authentication (2FA) service to make your logins more secure.

What is the recommended two-factor authentication method?

If you have a smartphone or or tablet, we recommend Duo Push, as it is quick, easy-to-use, and secure. See an introduction to Duo Security and a demonstration of Duo Push in this short video: https://www.youtube.com/watch?v=_T_sJXnSM98

How much data does a Duo Push request use?

Duo Push authentication requests require a minimal amount of data -- less than 2KB per authentication. For example, you would only consume 1 megabyte (MB) of data if you were to authenticate 500 times in a given month.

Why have I stopped receiving push notifications from Duo Mobile?

There are several reasons this could be happening. Please try the following to troubleshoot:

1. Make sure your enrolled device has a cellular network or WiFi connection.
2. Have the Duo Mobile app open when you authenticate.
3. Try these additional push troubleshooting steps:
   • iPhone: https://help.duo.com/s/article/2051
   • Android: https://help.duo.com/s/article/2050
4. If the above solutions don’t work, try using another authentication method, such as passcodes provided in the Duo Mobile app.

How can I authenticate if I’m somewhere with no cell signal or WiFi access?

See this Duo Knowledge Base article for information on authenticating without cell or internet service: https://help.duo.com/s/article/4449

How can I manage the devices I use for Duo?

If you have access to the “My Settings & Devices” link (the self-service portal) at the Duo Prompt and are currently able to authenticate with a device, you may:

• Add additional devices
• Designate your “default” device that receives authentication requests in addition to your preferred authentication method
• Deactivate Duo Mobile if you got a new phone but kept your number
• Change the name of your device (ex. “Personal Cell” or “Work Phone”)
• Remove a device

Learn more about managing your devices here: https://guide.duo.com/manage-devices