UIT: Upgrading your security

UIT will begin rolling out security upgrades to help prevent unauthorized access to university email accounts as a result of phishing schemes.

Starting on July 15, 2020, UIT’s Information Security Office (ISO) and Chief Technology Officer organization will begin implementing Microsoft Modern Authentication and (in a phased approach) two-factor authentication (2FA) for UMail and university-licensed Microsoft applications.

Modern Authentication, a Microsoft security protocol used by many organizations to help protect users' accounts, will be rolled out for all users in mid-July. This change, affecting University of Utah and University of Utah Health staff, faculty, students and affiliates, will require some users to reconfigure their computers and/or mobile devices in order to reconnect to UMail (detailed instructions will be provided). Users should carefully read the minimum requirements for supporting modern authentication to prepare for the change.

UMail Outlook Web Access will continue to be available via web browsers on mobile devices and computers. Email and calendar notifications, however, are not available with this method.

The security updates will eventually require all University of Utah and U of U Health faculty, staff and affiliates, as well as students with access to restricted university data, to use 2FA to log in to those services.

2FA is a security enhancement that allows you to present two credentials (e.g., your password and a phone with an authentication app) when logging in to an account. 2FA makes it far more difficult for attackers to access your account or information if they somehow gain access to your password. The U’s current 2FA solution is Duo Security, or Duo 2FA.

The security update proposal was presented to numerous main campus and U of U Health committees and was approved by the Strategic Information Technology Committee.

“The best security control that the university can implement to reduce the risk of compromised credentials is two-factor authentication for any service that contains sensitive or restricted data,” said Jake Johansen, enterprise security associate director.

Although UIT blocks a majority of malicious or unsolicited inbound email, the ISO continually sees attempted and successful phishing attacks against U and U of U Health users, all of whom have some degree of sensitive data in their email accounts, Johansen said. Phishing is when an attacker attempts to acquire your password by impersonating a trusted and/or known source or organization, in the hopes of tricking you into accidentally providing your password, potentially leading to the attacker gaining unauthorized access to your email account, information and other resources protected by the same password.

No area—campus or hospital—is immune, Johansen said. Once compromised, credentials can be used in phishing attacks against other university members.

UIT will implement modern authentication and 2FA for UMail and Microsoft applications in two phases:

  1. Mid-July: Modern authentication will be turned on for all users, including faculty, staff, students, affiliates and U of U Health personnel. Users with access to sensitive or restricted data will be required to begin using 2FA for UMail and Microsoft apps.
  2. Mid-September: All faculty and staff will be required to begin using 2FA for UMail and Microsoft apps. Students who do not access sensitive or restricted data will not be required to use 2FA.

Johansen noted that the security enhancement isn’t new to the university, as employees have used Duo 2FA to access sensitive services (e.g., Campus Information Services, Canvas, Box) for a number of years. Like those resources, UMail and Microsoft app sessions will time out after 12 hours, requiring users to reauthenticate for continued access.

Users who have unusual work- or course-related reasons that 2FA for UMail would be untenable may request an exception from their cognizant dean or vice president. Anyone with access to sensitive and restricted data, such as PHI, is not eligible for an exception.

U of U Health personnel can find more information on the Pulse UMail and Office 365 apps Duo security upgrade page (authentication required).

Additional information for campus users, including a detailed timeline and help guides, is forthcoming. To receive the latest news about this project, please subscribe to UIT's public news service. Updates will be published here on @theU, as well as communicated to the U community through multiple channels.

System Requirements

Mac and PC computers

  • Microsoft Office 2016 or higher for Windows or MacOS
  • MacOS native mail client on systems running MacOS 10.14 (Mojave) or newer
  • Before upgrading, you may want to review system checks to ensure a smooth MacOS upgrade
  • Use of a modern, up-to-date web browser, such as Chrome, Firefox or Internet Explorer for web-based access to email and Office 365
  • UIT advises that users download and install Microsoft Outlook

Mobile devices

  • The latest version of the Microsoft Outlook app from the App Store or Google Play Store
  • iOS 11.0 or higher native mail client
  • UIT advises that users download and install Microsoft Outlook

Support

If you have questions or need technical assistance, your local IT support staff may be able to assist, or you may contact your respective central help desk:

Resources

To learn more about Duo Security—the U’s two-factor authentication service—click here.

To learn more about phishing, watch this video or refer to this Knowledge Base article.

For more Information Security Office news and resources, please visit the ISO website.

For more additional help articles about Duo, phishing, and other security items, please visit the Security & 2FA category in the IT Knowledge Base.

If you cannot tell whether an email is legitimate, please forward it as an attachment to phish@utah.edu or call your respective central help desk:

  • Campus Help Desk: 801-581-4000, option 1
  • Hospital Service Desk: 801-587-6000