Virginia Tech secures online campus services with strong two-factor authentication

A strong vision to deliver digital security for students, faculty, and research partners

Virginia Tech maintains extensive research partnerships with both government and corporate organizations, so securing access to sensitive data was critical. In addition, the university wanted to ensure its students, faculty, and staff were kept safe from online attacks that could potentially hack into the wider campus network. With the growing sophistication of phishing attacks being a key concern, Virginia Tech was focused on introducing an effective digital security initiative that would enable all employees and students to use two-factor authentication (2FA) to access their Gmail accounts and other online services for heightened security. In addition, establishing strong adherence to existing and emerging compliance regulations was a key component of Virginia Tech’s security vision and strategy. Regulations such as HIPAA, PCI, FERPA and NIST 800-171 Controlled Unclassified Information (CUI) required the adoption of multi-factor authentication.

Effectively addressing the challenge of ever sophisticated phishing threats

A change in the sophistication of phishing attacks was a key catalyst for exploring a new direction in digital security. Phishers were shifting their efforts to maintain access to the accounts they compromised in order to gain access to services. Tactics such as changing account settings, secondary email addresses, secret questions, and secondary phone numbers were ways to compromise accounts. Particularly concerning were attempts to gain access to the employee portal and change the direct deposit bank account number(s) to an external account so that the phishers could steal paychecks. While these attempts were unsuccessful, it increased the urgency with which these security risks needed to be mitigated. In addition, another key catalyst was the need to meet strict compliance requirements related to research projects conducted with government organizations. To meet these requirements, the university needed to ensure that only authorized users could access research data — and that required strong authentication that went beyond usernames and passwords.

To meet this goal, all faculty, staff and students at Virginia Tech, including those with access to research projects, had to move to 2FA. However, some, such as researchers, often needed to access databases several times per day, these users required an authentication option that was faster and easier than reaching for their devices or typing OTPs (one-time passwords) every time they needed to log in. Therefore, it was critical to identify a 2FA solution that offered strong security, enabled adherence to compliance requirements and provided an easy and fast user experience to maximize adoption.

“Secure 2FA is the way that the campus is going, and YubiKeys have a great reputation for being highly secure and easy to use. So for us, choosing the YubiKey was really a no-brainer.”

YubiKeys meet high-security compliance requirements

The IT team at Virginia Tech was laser focused on achieving strong security and compliance without sacrificing an intuitive user experience. Many users wanted a fast way to authenticate over typing in OTPs or reaching for their devices. After researching multiple solutions, the IT team chose YubiKeys to provide easy, fast, and strong authentication. “Secure 2FA is the way that the campus is going, and YubiKeys have a great reputation for being highly secure and easy to use,” said Morris Niday, Manager of Hokie Centric and Computer Service Center. “So for us, choosing the YubiKey was really a no-brainer.”

YubiKeys were quickly adopted as a 2FA solution and the deployment was easy because Virginia Tech’s infrastructure was supported by Duo, Yubico’s ecosystem partner, with no extra integration work required. “With the YubiKey, you just press a button and you’re in, which makes it so easy for people who don’t want to retype passcodes,” said Hla Tlou, Corporate Technology Division Manager for Virginia Tech Services, Inc. “It also helps us meet strict security requirements for many of our research partners.”

Ultimately, research faculty and IT directors on campus began authenticating to Gmail and other platforms with strong two-factor authentication for added security.  In addition, YubiKey access has been extended to other campus services such as Banner, the university’s paperless document management and approval system. To simplify deployment, YubiKeys are available to all of the Virginia Tech faculty, staff, and students through Hokie Centric, University Bookstore, Volume Two Bookstore, Dietrick Convenience Store, and Virginia Tech Services, Inc. Computer Service Center.

Building a more secure digital future

Virginia Tech is committed to ensuring that all of its graduates — from biomedical engineering to visual arts students — have a solid foundation in digital literacy and online security. As part of this commitment, the Official Bookstores for Virginia Tech are providing the opportunity for all students to adopt hardware-based authentication by bundling YubiKeys with incoming freshman computer purchases. The university has knowledge base articles to help students configure and start using their YubiKeys as soon as they arrive on campus.

“At Hokie Centric, we cater to what our students and faculty need, and that means we are increasingly serving in the role of technology consultant,” said Niday. “We know that they don’t have time to research all of the technology options out there, so we do that legwork for them. Our goal is to make the best solutions easily available — which is why we chose the YubiKey to be part of all the technology bundles we will offer to new students.”