Two-step login is a way to further protect personal and institutional data by requiring something (such as an enrolled mobile phone) in addition to the pairing of username and password, to verify the identity of the person attempting to log into a service.
This is based on a principle of authentication called "two-factor" that access to services and data should rely on something that only the user knows, with a second factor, something only the user has in their possession, to provide strong identity verification. Today the predominant way to access web services is using "single-factor," which relies only on something the user knows the username and password pair.
The growing problem is that the account owner isn't always the only person who knows the HawkID and password to gain access to university services and data. This can happen due to a variety of reasons, such as:
- Phishing (email) attacks where user credentials (HawkID and password) are entered into a linked "university-look-alike" malicious website and captured
- Phishing (email) attacks that include an attachment that installs malicious software, capturing credentials typed on the keyboard and sending them to attackers
- Choosing the same username (e.g., HawkID or UI email address) and password for non-university websites that have inadequate security protections, such as not having encryption turned on, or unpatched security vulnerabilities
- Telephone scams where the user gives their account information to someone who appears to be in authority
- Choosing passwords that are easily guessed or predicted
Two-Step Login keeps your account secure even if your password is stolen. With Duo Push you'll be alerted right away (on your mobile phone) if someone is trying to log in with your account, so you can prevent it from happening!
To increase protections for our user community and our information, the University of Iowa is phasing in Two-Step Login services from Duo Security for our critical and sensitive applications, including a requirement to use Duo with the UI's Employee Self Service application (http://hris.uiowa.edu). Additional applications meeting the risk criteria of being critical or sensitive are being prioritized and will also be enhanced with Two-Step Login with Duo Security.
Frequently Asked Questions
General Support Information
Services scheduled for maintenance over the next 7 days. Please refer to the calendar view of alerts for a complete schedule.
Past 90 Days
The Duo-Two Step authentication service using phone calls is not working. Customers receive a message saying "Error during call: Insufficient telephony credits." when trying to place a call for authentication. ITS support staff are working to resolve this problem as quickly as possible.
We will update this notice as soon as more information is available.