November 14, 2016
Topic: Information Technology
All members of the University of Michigan community now have the option to add extra security to protect personal and university information when logging into online U-M services.
It's available for U-M faculty, staff and students, as well as sponsored affiliates, alumni and retirees. Information and Technology Services introduced the option as part of an effort to increase data protection on U-M campuses by expanding two-factor authentication from Duo Security.
The added security step occurs via the Weblogin page, which is the screen people use to log in to Wolverine Access, U-M Google and other secure U-M online activities.
Strong passwords remain important, but they are not enough anymore. Two-factor authentication adds a second layer of security, keeping an individual's account secure even if their password is compromised. It requires two proofs of identity when logging in:
• Something you know, such as a UMICH password.
• Something you have, such as a push notification sent to a smartphone.
Learn about the benefits of two-factor authentication.
Two-factor authentication is becoming more common in higher education and in the marketplace. For example, Penn State requires it for staff and faculty.
In a recent University Record interview on cyber security at U-M, Chief Information Security Officer Don Welch noted that "higher education has the highest number of IT security breaches among most industry sectors."
If a UMICH (Level-1) password is stolen — whether through phishing or hacking — that U-M account can be used to mimic the individual online. A malicious attacker can use the account to send spam, access tax or bank account info, or steal research.
By turning on two-factor authentication for Weblogin, individuals at U-M can take an important step to protect their online identity and prevent hackers and criminals from being able to access their W-2s, direct deposit info, U-M Google email and more.
Kevin Hegarty, executive vice president and chief financial officer, adds extra IT security to his U-M Weblogin. (Photo courtesy of Information and Technology Services)
This fall, more than 140 staff, faculty and students tried out the option at U-M and, when asked, 80 percent "strongly agreed" that they would continue using the additional security to protect personal and university information.
Denise Stegall, senior director for records and information services in University Human Resources, turned on two-factor authentication during the pilot and endorses the option.
"As one of the HR data stewards, I am aware of many examples of identify fraud. Knowing that I can add a layer of protection … to reduce opportunities for hacking (and) fraud to protect all U-M employees is worth a few more clicks a day using two-factor authentication," she said.
Martin Sager, an information systems manager in ITS, also participated in the pilot and says, "Members of the U-M community are targeted for their credentials. Having Duo enabled makes me feel more secure."
For those already using Duo, it's simple to turn on two-factor authentication at UMICH Account Management under the two-factor (Duo) tab. Those at the U-M Health System can also turn it on via the UMHS Profile page. Those not yet using Duo will need to first enroll in a Duo option, then turn on the two-factor authentication feature.
When individuals turn on two-factor authentication, they are required to use Duo when logging in to U-M services on the web via the Weblogin page. The first step is to enter a uniqname and UMICH (Level-1) password, and the second step is to approve a Duo login. The extra security applies to all services via the Weblogin page. It cannot be used for some services and not others. Most report needing to use Duo only a few times a day.
Currently, more than 25,600 individual accounts use Duo to access U-M systems that require it. Now the university is strongly encouraging all U-M faculty and staff to safeguard personal and university data by turning on Duo two-factor authentication for Weblogin. As one pilot participant said, "Once you get used to using Duo, it's just automatic."