Securing BUworks with Duo

In response to the phishing scam that redirected employee payroll deposits last December, and at the request of President Brown, Information Services & Technology is developing a proposal to implement a high-security login process for BUworks that requires a second method to confirm the identity of the person logging in.

Referred to as two-step or two-factor authentication, this new process would ask individuals logging in to confirm their identity using a smartphone, via text, via automated voice calls, or on a secured kiosk (for certain staff).

The product we have identified for this is called Duo Security. To learn more about Duo and how it would work at BU, visit www.bu.edu/tech/duo/

We propose to begin a phased rollout of two-factor authentication with Duo in early May:

  • May 2014 – Pilot Groups
    • Require Duo for IS&T staff in addition to clients who currently use a SecureID to access BUworks.
    • When we begin, the login screen you’re used to seeing at www.bu.edu/buworkscentral/ would change slightly. However, during the pilot, anyone who is not in the above groups would not be required to use Duo.
  • June 2014 – Optional Enrollment Period Begins
    • Beginning in June, we would offer anyone who logs in to BUworks the opportunity to enroll in the high-security authentication program.
  • Mid-July 2014 – Automatic Enrollment of Staff
    • After the end of the fiscal year, all staff would be automatically enrolled in Duo.
    • Faculty and student employees can still opt in.
  • September 2014 – Automatic Enrollment of Faculty
    • In September, all faculty members would be automatically enrolled
    • Student employees can still opt in.
  • October 2014 – Automatic Enrollment of Student Employees
    • In October, all students who access BUworks would be enrolled if they have not already opted in.
    • At this point, two-factor authentication with Duo would be required for everyone logging in to BUworks.

We thank you for your support and encourage you to contact us with feedback on this timeline or with questions or concerns about the project in general. The Vice President of Information Services & Technology and the Information Security & Business Continuity governance committee for IS&T can be reached directly at duo@bu.edu.