Two Factor Authentication

Posted on: July 13, 2018

Like many workplaces, UT Austin runs on email.  For many of us, checking email is likely one of the first tasks of the day and the last at night.  Our dependence on email is greater than ever, and consequently, email has become the most popular attack vector for cybercriminals to steal sensitive information like user credentials.

As a major research university, we are constantly targeted by nation-state actors seeking to steal research and academic data and intellectual property.  Just last month, the Information Security Office (ISO) identified 49 compromised staff and faculty accounts, of which a disproportionate amount (36%) belonged to science- and technology-related campus units.

University hacking campaigns are the new normal, and the threat is serious.  In March, the Department of Justice revealed a ‘spearphishing’ campaign in which nation-state actors targeted more than 100,000 accounts of professors around the world. Hackers successfully compromised 8,000 professor email accounts across 144 U.S.-based universities.  Estimates range upwards of 31.5 terabytes of academic data and intellectual property were stolen, the cost of which ranges in billions of dollars of value.  Wow!

Securing our email services with two-factor authentication (2FA) is the first step to help address this growing problem. 2FA strengthens access security by requiring two methods to verify identity:

  1. Something you know (your UT EID credentials)
  2. Something you have (a device such as a smartphone or tablet)

2FA helps protect against phishing, password brute-force attacks, and attackers exploiting weak or stolen credentials.  It’s already in targeted use at the university to secure highly sensitive information and services. For example, faculty and staff are required to use 2FA for claiming their W-2 or connecting to the VPN.

The next 2FA implementation will be to secure access to web-based email. UT System and the UT Austin Information Security Office (ISO) have issued mandates to have this in place by November 9, 2018. Both Office 365 and UTmail will be in scope. For UTmail, only “business” accounts will require 2FA. These are a small percentage (~5%) of the overall accounts and are typically used by faculty and staff.  More information on this important initiative is available on the project page, and I look to providing an update to campus in early fall semester.  This will become part of a larger multi-factor authentication strategy that our team is working on.