University of Michigan
News for Faculty and Staff

September 24, 2017

Protect personal information with two-factor authentication

November 14, 2016

Protect personal information with two-factor authentication

All members of the University of Michigan community now have the option to add extra security to protect personal and university information when logging into online U-M services.

It's available for U-M faculty, staff and students, as well as sponsored affiliates, alumni and retirees. Information and Technology Services introduced the option as part of an effort to increase data protection on U-M campuses by expanding two-factor authentication from Duo Security.

The added security step occurs via the Weblogin page, which is the screen people use to log in to Wolverine Access, U-M Google and other secure U-M online activities.

Strong passwords remain important, but they are not enough anymore. Two-factor authentication adds a second layer of security, keeping an individual's account secure even if their password is compromised. It requires two proofs of identity when logging in:

• Something you know, such as a UMICH password.

• Something you have, such as a push notification sent to a smartphone.

 

Learn about the benefits of two-factor authentication.

 

Two-factor authentication is becoming more common in higher education and in the marketplace. For example, Penn State requires it for staff and faculty.

In a recent University Record interview on cyber security at U-M, Chief Information Security Officer Don Welch noted that "higher education has the highest number of IT security breaches among most industry sectors."

If a UMICH (Level-1) password is stolen — whether through phishing or hacking — that U-M account can be used to mimic the individual online. A malicious attacker can use the account to send spam, access tax or bank account info, or steal research.

By turning on two-factor authentication for Weblogin, individuals at U-M can take an important step to protect their online identity and prevent hackers and criminals from being able to access their W-2s, direct deposit info, U-M Google email and more.

Kevin Hegarty, executive vice president and chief financial officer, adds extra IT security to his U-M Weblogin. (Photo courtesy of Information and Technology Services)

This fall, more than 140 staff, faculty and students tried out the option at U-M and, when asked, 80 percent "strongly agreed" that they would continue using the additional security to protect personal and university information.

Denise Stegall, senior director for records and information services in University Human Resources, turned on two-factor authentication during the pilot and endorses the option.

"As one of the HR data stewards, I am aware of many examples of identify fraud. Knowing that I can add a layer of protection … to reduce opportunities for hacking (and) fraud to protect all U-M employees is worth a few more clicks a day using two-factor authentication," she said.

Martin Sager, an information systems manager in ITS, also participated in the pilot and says, "Members of the U-M community are targeted for their credentials. Having Duo enabled makes me feel more secure."

For those already using Duo, it's simple to turn on two-factor authentication at UMICH Account Management under the two-factor (Duo) tab. Those at the U-M Health System can also turn it on via the UMHS Profile page. Those not yet using Duo will need to first enroll in a Duo option, then turn on the two-factor authentication feature.

When individuals turn on two-factor authentication, they are required to use Duo when logging in to U-M services on the web via the Weblogin page. The first step is to enter a uniqname and UMICH (Level-1) password, and the second step is to approve a Duo login. The extra security applies to all services via the Weblogin page. It cannot be used for some services and not others. Most report needing to use Duo only a few times a day.

Currently, more than 25,600 individual accounts use Duo to access U-M systems that require it. Now the university is strongly encouraging all U-M faculty and staff to safeguard personal and university data by turning on Duo two-factor authentication for Weblogin. As one pilot participant said, "Once you get used to using Duo, it's just automatic."

Comments

Ron Campbell
on 11/15/16 at 7:11 am

Every time I have tried to activate the "two factor authentication" it ask for my cell number etc as if to do this to my personal devise. I do not wish to do this to my personal devises I only use my computer at work to log on. So, what am I missing to set up the two factor authentication for my work computer as it does not appear to be an option?

David Winter
on 11/15/16 at 7:47 am

When I clicked on the "additional information about two-factor identification" link, it said "the server could not be found." Makes me unlikely to use a system that doesn't work!

Jamie Iseler
on 11/15/16 at 8:01 am

That link has been fixed and should work now.

Victoria Neff
on 11/15/16 at 9:47 am

I tried to set up two-factor identification, but it makes me add an app to my phone. I have an 8 gig phone -- no room for more apps! Why can't you text me a code instead of making me add an app?

Jessica Rohr
on 11/15/16 at 11:32 am

You can enroll your 8 GB phone to receive Duo text message passcodes instead of installing an app! You can find instructions on how to do this here: http://documentation.its.umich.edu/2fa/enroll-landline-or-non-smart-cell...
I think the key is to enroll your phone as a Mobile Phone, but then select select Other (and cell phones) on the next screen, then click Continue. You shouldn't be prompted for an app if you do this. Please call the ITS service center at 4-HELP if you have any problems!

Victoria Neff
on 11/16/16 at 1:10 pm

Thank you, Jessica!

Commenting is closed for this article. Please read our comment guidelines for more information.