Two-Step Login: Overview



To provide better security for employee data and to satisfy federal regulations regarding the protection of sensitive health information, access to the UVA Health System secured network requires 2-step login.

To skip the background and get right to installing and using the 2-step login app, called Duo, click here.

Why Two-Step Authentication?

The problem

A big problem with allowing computer access to sensitive information, such as prescriptions for controlled substances, is how to ensure that the person logging in is, in fact, the person authorized to access that information.

There are three ways, or factors, to tell if someone is who they claim to be:

  1. Ask the person something only they know, such as a secret password (factor 1: something you know)
  2. Make the person use an object only they should possess, like a key card (factor 2: something you have)
  3. Compare the person's physical characteristics against a record of those characteristics, such as fingerprint data or face recognition (factor 3: something you are)

Traditional logins use only one of the above methods: factor 1, something you know, aka, your username and password. The problem here is that something you know, like a secret password, can be stolen. There are many ways hackers have figured out how to steal passwords. One of the most popular is email phishing.

Every day, millions of emails pretending to be official communications are sent out in targeted fraud attempts. These phishing email campaigns attempt to trick people into entering their username and password into a fake web form, which records that information and sends it to a hacker, who can then log into a person's account, gaining whatever access that person has.

The solution

Because of the popularity of phishing attacks and their alarmingly high success rate, better security to protect sensitive data available from the web, such as patients' protected health information, must be put into place. This is where a 2-step login comes into play.

Unlike traditional logins, which only use something you know, UVA Health System's new 2-step method uses an additional factor of authentication. In this case, the second step requires factor 2: something you have.

During 2-step login, the user enters the typical information of username and password and then a third piece of information generated by a device known to be owned by the user. Typically, this extra piece of information is a single-use code generated by an application loaded on a mobile device (tablet, phone, smart watch, or hardware token) registered to the user.

Wait a Minute . . .

But wait, you say. . . I understand that secret information can be stolen, but so too can something I have, like my smart phone or tablet. Can't a thief just steal my phone and then get into my account anyway?!

The strength of the 2-step method relies on the fact that the hacker would have to steal both your password AND your device (and your device's passcode, for that matter) to get into your account, a feat that is very difficult to accomplish and, therefore, an excellent deterrent to any would-be hacker.

OK . . . So How Does It Work?

Signing up for 2-step authentication is easy, and so is using it.

In summary, 2-step login requires an application on a secondary device (a device other than the computer used to login). The app on the secondary device provides a few choices to prove your identity; pick one of the valid methods, and then 2-step login is done.

After you read the important note below, scroll down for links showing walkthroughs on how to enroll for 2-step login and how to use it.

A note on Medical Center requirements

As part of ongoing collaboration efforts between the Academic and Health IT teams, UVA Health Information & Technology (HIT) has joined forces with UVA Academic IT team to use a single solution, called Duo, as the application that will accomplish 2-step authentication. This collaboration will allow HIT to use the enrollment process already built and tested by the Academic IT team.

However, there are significant differences in how the Health System is allowed by regulations to use the Duo app, compared with the Academic side. Although the Academic side offers the use of phone calls and pre-printed backup codes as authentication methods, to comply with HIPAA and DEA regulations, access to Medical Center resources, which may expose PHI, are restricted to the use of the Duo mobile passcode, Duo hardware token, and Duo mobile push notification methods only.

To sign up for 2-step login, click here.

To use the app for 2-step login, click here.