Week 1

Week 1 - Enable MFA

Passwords alone are not enough. Data collected by Microsoft and Verizon have shown that 81% of hacking-related breaches used stolen or weak passwords. If you can do just one thing to protect your online valuables and digital identity, set up multi-factor authentication.

Two-Factor Authentication or Multi-factor Authentication. MFA. 2FA. They all mean the same thing: opting into an extra step when trusted websites and applications ask you to confirm your identity. To help keep SDSU users and data safe, the campus utilizes Duo's MFA solution.

By verifying your identity using a second factor (such as your mobile device or a hardware token), MFA prevents anyone else from logging into your account, even if they know your password.

SECURITY TIPS ON MFA

  • Enable MFA on Other Accounts. You need more than a password to protect your other online accounts (bank accounts, credit cards, social media, etc.). Enabling MFA reduces the likelihood of a compromised account
  • Authenticate using Duo PUSH. Using the Duo Mobile app, Duo PUSH is convenient and fast. In addition, it is more secure than a phone call or SMS text message because it provides end-to-end encryption and displays detailed information about the application and source device that initiated the authentication request. Learn more about Duo PUSH.
  • Watch out for Fraudulent MFA Authentication Requests. An unexpected MFA request is one you receive that was initiated by someone else trying to sign in as you. This could mean that your SDSUid username and password have been compromised. You should change your password immediately by going through the SDSUid Password change process.
  • Request a Hardware Token When Traveling Abroad. A hardware token is a small, battery-powered device that generates a code on the built-in display. Hardware tokens do not require cellular or internet service. For faculty or staff going abroad, request a Duo MFA token to ensure you are able to authenticate into your SDSU account.
    • For faculty and staff requesting a Duo token, create a ticket using the Service Portal.
    • For students requesting a Duo token, please contact the Library Computing Hub Help Desk by phone at 619-594-3189, email at [email protected], or chat at library.sdsu.edu/askhub**Note: It is recommended that students provide an additional email address (non-SDSU) on the ServiceNow ticket to ensure that notifications are received.**

HACKER TACTIC SPOTLIGHT

MFA Bombing. MFA Fatigue. MFA Spamming.

mfa

The nicknames are different, but the end goal is the same: constantly bombarding the user with MFA authentication requests (either with texts notifications, PUSH prompts, or phone calls) in the hopes that the user will be exhausted from the overwhelming volume and eventually approve. In hacker speak, your account is now "owned."

Stay vigilant! Only accept MFA authentication prompts that you initiated.

How does MFA Fatigue (aka MFA Bombing or MFA Spamming) Work?

Source: https://blog.admindroid.com/safeguard-office-365-users-from-mfa-fatigue-attacks/

What to do if you suspect you are receiving a fraudulent Duo MFA request?

  • Depending on the method of authentication, if you suspect you are receiving a fraudulent MFA request, hang up, deny the request, or do not enter the provided passcode.
  • Only approve MFA requests you initiate yourself, knowingly and intentionally. Then, report the fraudulent attempt IMMEDIATELY to [email protected].

2022 CYBERSECURITY AWARENESS MONTH

Remember to explore our website, “SDSU 2022 Cybersecurity Awareness Month,” for weekly articles, tips, and activities to promote cybersecurity at SDSU.

Do Your Part and #SeeYourselfInCyber!

Three students at a table studying, one student is at a laptop, the other two are discussing notes.

Get Help

Faculty & Staff SupportStudent SupportReport an Incident