Main Menu Dept. of Technology Services Search

UtahID Multi-Factor Options

The State Security Council has recommended that state agencies use multi factor authentication on state applications using UtahID for authentication. DTS will be implementing multi-factor authentication on UtahID effective October 31, 2020.

What is Multi-Factor Authentication?

A method in which a user is granted access to a system using multiple factors: something the user knows (password), something the user has (a token or code sent to a different device), or something the user is (biometrics).

Why use Multi-Factor Authentication?

Security is a top priority of the state. Multi-factor authentication adds an additional layer of security to help protect state assets and to also protect individual employee identities. The use of multi-factor authentication makes it more difficult for someone to guess your password.

When is DTS implementing Multi-Factor Authentication (MFA)?

Beginning September 18, 2020, and completed by October 31, 2020.

How much will this cost?

See below for different security levels and the related cost.

Security Levels

Please work with your Agency Security Representative and IT Director to determine which level of security is needed for your agency. Security Levels provide requirements for agencies so they can both identity proof and enroll one of four different levels of risk mitigation for their employees.

There are multiple levels of trust that can be associated with a user’s profile for the authentication process. These levels are defined by NIST as Authenticator Assurance Level (AAL) and use AAL1-AAL3.

Multi-Factor options

  • Security Level 1.5: Minimum level of MFA security required by DTS. Federally regulated agencies may require a higher level of security.
    • SMS Text: A code is sent to a mobile phone, either personal or state issued.
      • Cost = carrier rates may apply per/text
    • Alternate Email: A code is sent to a personal email address.
      • Cost = $0 many email providers offer free accounts
  • Security Level 2: Some regulated agencies may require this level of security. In addition, this option is available to agencies that do not want employees to use a personal email address or device to authenticate.
    • UtahID authenticator app: This could be used on a personal or state issued mobile device.
      • Cost = $0 (free download @ Apple store / Google play)
    • WebAuthn (FIDO2) I web standard technology which includes;
      • Yubikey token
        • Cost = Starting at $45 and up depending on model (more pricing info coming soon)
      • TouchID (MacOS)
        • Cost = Mac Laptop supporting TouchID
      • Windows Hello = Windows 10 Build 1903+ Laptop with fingerprint reader supported in Windows Hello
        • (Still testing)
  • Security Level 3: Some regulated agencies may require this level of security.
    • RSA token (fob and soft token)
      • Cost = 3 year commitment ~$120.00 first 3 years

VPN

The Global Protect client for VPN contains a separate session and requires an additional authentication experience.

VPN default authentication is Security Level 1 with UserID and password

2FA (Two Factor) Security Levels can be enabled with a configuration change on a VPN group.
For example; If the Security Level of 2 is configured, all users in the VPN group will need to authenticate using their Email/UserID and Password, along with either a UtahID Authenticator or Yubikey to complete the authentication process as these are the options that meet the Security Level 2.

Another example.
A user has an RSA and uses that for standard authentication, but is a member of a VPN Group with Security Level 1.5 applied. This user will login to UtahID using RSA as a second factor, but when the user login into VPN they would use SMS or email for the second factor.

Summary. The group configured Security Level and membership determine the second factor required for VPN only as VPN is currently implemented as a separate system.

2FA Enablement process

Users will be asked to register an Option for a second factor.

This process will be defined by the agency and when the schedule is created will be notated here.

In preparation for the APSC meeting on 9/17, agencies will need to come prepared with the following information. 1) if the agency wants a notification period and if so for how long. 2) when the enforcement for the agency will be required.

Example: agency 110 wants to start a notification period of 1 week beginning 9/29 and with a 10/5 enforcement date. In this example, users will see a message to register an MFA option, but there will be a skip registration link at the bottom of the options. If the user does not want to register an MFA option, they can hit skip each day until the enforcement date when they will no longer see the skip option.

Note: Users currently using RSA will not be impacted nor be required to register an option.

Notes

Users currently assigned an RSA token are required to use RSA for 2FA authentication.
No action needed for this phase of authentication for RSA users.

Once a user registers a MFA option they must provide the registered option as the 2nd factor for all future authentication.

At a future date VPN will be updated to apply the same Security Level for VPN as used in the UtahID authentication process. This will provide the ability to set a minimum level of Authentication (15 for example) and allow the user to use 2FA options of at least the minimum but could use higher levels as well (using any 2FA option would work).

Definitions:

Yubikey OTP:

Yubico OTP (One Time Password) is a simple yet strong authentication mechanism that is supported by all YubiKeys out of the box. Yubico OTP can be used as the second factor in instances where the solution does not support WebAuthn.

Global Protect will need to use OTP as the embedded IE browser does not support the token.

WebAuthN:

WebAuthn allows users to login to internet accounts using their preferred device (i.e. token, fob, etc). Web services and apps using WebAuthn provide an easier login experience via biometrics, mobile devices and/or FIDO security keys with much higher security over passwords alone.

Yubikey is a WebAuthn solution.

Push:

Push Notification Authentication enables authentication by sending a push notification directly to a secure application on the user’s device, alerting them that an authentication attempt is taking place.

UtahID Authenticator is a Push solution.

Recovery Codes:

When registering a Push or WebAuthn device a set of 10 codes are generated which are a one time use code and can be used in place of the device or app if needed. If you save these codes, please save in a secure place as they are as important as securing your token or mobile device.

What the Registration Process looks like

Once notification and enforcement is enabled, these screens will be presented when users log in, until they register an MFA option. After the user registers an MFA option this screen will not be presented upon login but will be available in the user’s account profile / security link. At this point the user can register a 2FA option(s) or scroll down and click Skip Registration during the Notification period, but will not have the skip option when the enforcement period begins.