October 3, 2018
The University of Michigan is taking steps to improve the security of institutional data and systems, and even personal data, by expanding the use of Duo two-factor authentication.
The expansion involves using two-factor at Weblogin, which is the webpage — and the software behind it — that allows individuals to log in and access protected U-M web resources such as direct deposit and W-2 information in Wolverine Access, U-M Google, the MCommunity Directory and Canvas.
Faculty, staff and sponsored affiliates with a Michigan Medicine account (Level 2) as well as those with a UMICH account (Level 1) in the School of Dentistry will be required to use two-factor for Weblogin beginning Oct. 10. Current plans are for the Ann Arbor campus and UM-Dearborn to use Duo at Weblogin by Jan. 23.
University community members are encouraged to turn on two-factor authentication before the deadlines so they can become familiar with Duo before it is fully implemented. Thousands of U-M community members already have taken this step.
“Phishing attacks, where a forged email fools you into revealing your password via fake login page, remain the most common and damaging form of remote security attack on the internet. Two-factor authentication prevents someone with a stolen password from being able to access your account,” said Thomas Wenisch, associate professor of computer science and engineering. “My entire research group has activated Duo at Weblogin to protect our critical research data.”
Individuals with a Michigan Medicine account began receiving notifications about the change in late summer. All others have been or will be contacted by Information and Technology Services’ Information Assurance and unit IT staff explaining what steps, if any, they need to take.
Students with U-M employee status will need to turn on two-factor as well — although all students are encouraged to do so.
“I believe that every person within the U-M family should feel connected to, and supported by, our collective purpose to provide user-centric services, outstanding support for teaching and research, and advance the best and appropriate technology,” said Ravi Pendse, vice president for information technology and chief information officer.
“But to do this, we need to protect the valuable data we all access on a daily basis. The choices we make around IT and IT security are to ensure that the university can fulfill its mission, while addressing the challenges of securing an open society.”
Globally, sophisticated cyberattacks continue to be on the rise. Successful attacks on universities have been costly in terms of time, reputation, resources and fines.
The industrywide IT security trend is to use two-factor authentication whenever possible. U-M is implementing two-factor to significantly decrease the likelihood of the university being adversely affected by an attack, and in response to requests from university community members to expand two-factor.
“Using two-factor is a vital means for protecting the university’s digital assets, as well as an individual’s personal information,” said Sol Bermann, chief privacy officer and interim chief information security officer.
“The reality is that U-M, like many academic institutions, is a target. Our aim is to provide a safe and secure online environment for the community and to reduce the chance that someone can get inappropriate access to institutional data or systems.”
The two-factor authentication tool that the university has selected is Duo, the product of a high-performing, Ann Arbor-based company founded by U-M alumni. Many peer institutions are already using the tool.
Duo provides the most options for individual choice, while effectively reducing IT security risks.
“The preferred and recommended option for most employees is the downloadable Duo Mobile app for their smartphone,” said DePriest Dockins, assistant director of identity and access management, and the Duo @ Weblogin project lead. “Based on work style, travel or need, individuals may choose alternate options, such as passcodes, landline or hardware token.”
Those looking for advice on which options to use can visit the Safe Computing website, reach out to their unit IT staff or contact the ITS Service Center or Health Information Technology and Technology Services Service Desk.
Logging in with Duo takes only a few additional seconds. The recently updated “Remember me” function allows individuals to authenticate for seven days, assuming they use the same web browser and do not completely log out of their computer.
Faculty and staff can visit safecomputing.umich.edu and click the green Duo button to find more information and learn exactly what they need to do to better protect the university’s digital assets as well as their own.