Note: Please visit this UIT Knowledge Base article for detailed information about the security upgrades, including the impact to your devices, system requirements, and technical support.

UIT will begin rolling out security upgrades to help prevent unauthorized access to university email accounts as a result of phishing schemes.

Starting on July 15, 2020, UIT’s Information Security Office (ISO) and Chief Technology Officer organization will begin implementing Microsoft Modern Authentication and (in a phased approach) two-factor authentication (2FA) for UMail and university-licensed Microsoft applications.

Modern Authentication, a Microsoft security protocol used by many organizations to help protect users' accounts, will be rolled out for all users in mid-July. This change, affecting University of Utah and University of Utah Health staff, faculty, students and affiliates, will require some users to reconfigure their computers and/or mobile devices in order to reconnect to UMail (detailed instructions will be provided). Users should carefully read the minimum requirements for supporting modern authentication to prepare for the change.

UMail Outlook Web Access will continue to be available via web browsers on mobile devices and computers. Email and calendar notifications, however, are not available with this method.

The security updates will eventually require all University of Utah and U of U Health faculty, staff and affiliates, as well as students with access to restricted university data, to use 2FA to log in to those services.

2FA is a security enhancement that allows you to present two credentials (e.g., your password and a phone with an authentication app) when logging in to an account. 2FA makes it far more difficult for attackers to access your account or information if they somehow gain access to your password. The U’s current 2FA solution is Duo Security, or Duo 2FA.

The security update proposal was presented to numerous main campus and U of U Health committees and was approved by the Strategic Information Technology Committee.

“The best security control that the university can implement to reduce the risk of compromised credentials is two-factor authentication for any service that contains sensitive or restricted data,” said Jake Johansen, enterprise security associate director.

Although UIT blocks a majority of malicious or unsolicited inbound email, the ISO continually sees attempted and successful phishing attacks against U and U of U Health users, all of whom have some degree of sensitive data in their email accounts, Johansen said. Phishing is when an attacker attempts to acquire your password by impersonating a trusted and/or known source or organization, in the hopes of tricking you into accidentally providing your password, potentially leading to the attacker gaining unauthorized access to your email account, information and other resources protected by the same password.

No area—campus or hospital—is immune, Johansen said. Once compromised, credentials can be used in phishing attacks against other university members.

UIT will implement modern authentication and 2FA for UMail and Microsoft applications in two phases:

1. Mid-July: Modern authentication will be turned on for all users, including faculty, staff, students, affiliates and U of U Health personnel. Users with access to sensitive or restricted data will be required to begin using 2FA for UMail and Microsoft apps.
2. Mid-September: All faculty and staff will be required to begin using 2FA for UMail and Microsoft apps. Students who do not access sensitive or restricted data will not be required to use 2FA.

Johansen noted that the security enhancement isn’t new to the university, as employees have used Duo 2FA to access sensitive services (e.g., Campus Information Services, Canvas, Box) for a number of years. Like those resources, UMail and Microsoft app sessions will time out after 12 hours, requiring users to reauthenticate for continued access.

Users who have unusual work- or course-related reasons that 2FA for UMail would be untenable may request an exception from their cognizant dean or vice president. Anyone with access to sensitive and restricted data, such as PHI, is not eligible for an exception.

U of U Health personnel can find more information on the Pulse UMail and Office 365 apps Duo security upgrade page (authentication required).

Additional information for campus users, including a detailed timeline and help guides, is forthcoming. To receive the latest news about this project, please subscribe to UIT's public news service. Updates will be published here on @theU, as well as communicated to the U community through multiple channels.