Microsoft Multifactor Authentication Overview

To better protect the University from cyberattacks on our email system and ultimately our computer network, the Office of Information Technology is implementing a new method to sign into your Microsoft email accounts and services. We will be using a multifactor authentication system which is a login process that requires a second means of verification in addition to your password. The information below will give you details and guide you through the process. We appreciate your patience, support, and continued vigilance as we work together to protect the University’s information and information assets and maintain quality services to students, staff, faculty, and researchers. 

Implementing Multifactor Authentication—What to Expect 

On November 1, 2022, at 6:30 am, multifactor authentication was implemented for all Academic Faculty, Administrative Faculty, Classified Staff, Classified Hourly, Residents, Letters of Appointment, Postdoctoral Scholars and On Campus Affiliate 2 Contingent Workers. Hourly Student Employees and Graduate Students MFA was implemented on December 9, 2022 at 8:30 am.

Our solution will be configured to allow for multiple means of authentication using any one of the following methods for the second verification: 

  1. Use the Microsoft Authentication app – an application downloaded to your mobile phone that randomly generates numbers used as the secondary authenticator.  
  2. Use your mobile phone (SMS/text): a unique numeric code will be sent via text to your cellphone.  
  3. Use your mobile, office, or alternate phone (voice): the multifactor authentication request will be sent and completed auditorily. 

You can set up your accounts ahead of time in order to prepare and be ready for the implementation.  

OIT highly recommends using your smartphone unless it's absolutely impossible for you to do so. Using the Microsoft Authenticator app allows you to confirm your identity by pressing a button from a simple, on-screen prompt. The app also provides a constantly changing code that you can use instead if your phone does not have an active internet connection for any reason. 

WARNING: If your university desk telephone has been converted to a Microsoft Teams phone that requires that you log in to said phone using your NetID, you should not use this phone number as an authentication option. 

OIT has also developed a Knowledge Base FAQ that will provide solutions to the most common problems and concerns for users. 

If after visiting the Knowledge Base FAQ page you need further assistance, please contact the OIT Support Center.  

What is Multifactor Authentication? 

Multifactor authentication describes a login process that requires two or more means of verification in addition to your password – the University will be using two methods of verification. In most cases, that second factor is a text message you receive, or responding to an app installed on your phone. Even if you're not familiar with the term, multifactor authentication is common enough today that you're probably using it without even thinking about it. We are already using it for Workday with Okta, and it is offered (or even required) for most online banking accounts, and it's available on every popular social media platform. 

It is a core component of a strong identity and access management policy. Rather than just asking for a username and password, multifactor authentication requires additional verification factors, which decreases the likelihood of a successful cyberattack. 

Those two forms of authentication are: something you know and something you have with you. The something you know is your NetID and password. The something you have with you can be a mobile device, an office telephone, or a home/alternate phone. 

Ultimately, this makes it more challenging for a hacker to access users accounts without that secondary piece of the identifier. 

What is Multifactor Authentication Fatigue? 

With the implementation of multifactor authentication comes new tactics, techniques, and procedures that malicious actors will utilize to compromise accounts. 

One of the most seen is the use of multifactor authentication fatigue or "prompt bombing" by malicious actors. Multifactor authentication fatigue refers to the overload of prompts or notifications a victim would receive via multifactor authentication applications.  

Once a threat actor has a victim's credentials, they will begin requesting approval for sign-in via the victim's multifactor authentication application. The goal for the threat actor is to overwhelm the victim's phone with multifactor authentication push notifications, hoping the victim approves one of the requests to make the notifications stop. If a victim accepts a malicious multifactor authentication request, the threat actor now has access to all data protected by multifactor authentication. Furthermore, once a threat actor has gained access to an account, they can update the compromised accounts to send multifactor authentication verification messages to telephone numbers they have access to, bypassing the need to have the compromised user approve future multifactor authentication requests. 

This technique only works if the malicious actor(s) have already compromised the credentials of a targeted account from a previous compromise such via phishing, brute forcing, or password spraying. As soon as multifactor authentication has been enabled for your account, OIT suggests setting up the Microsoft Authenticator app immediately. 

Why is Multifactor Authentication Important? 

The threat of cybersecurity incidents is growing exponentially every year in every business sector in the U.S., and these threats are appearing in the higher education sector at an increasingly alarming rate: 

  • There were 455 reported cybersecurity incidents in the higher education sector in 2021. 
  • 87% of higher education institutions in the U.S. have experienced at least one successful cyberattack. 
  • 83% of universities in the U.S. believe that cyberattacks are increasing in frequency and sophistication. 
  • 79% of universities in the U.S. have experience damage to their reputations. 
  • 74% of universities in the U.S. have had to halt a valuable research project due to a cyberattack. 

As a result of these national and global threats, the University’s impending cybersecurity framework assessment, and the University’s need to maintain cost-effective cybersecurity insurance, the University of Nevada, Reno will be expanding our implementation of multifactor authentication to now include our Microsoft services. Currently, the university community already uses multifactor authentication for access to Workday and AssetWorks. This solution will ensure regulatory compliance and minimize the risk to information assets. 

Why is Multifactor Authentication Important at the University? 

According to purplesec.us, the education sector is the least prepared industry for cyberattacks. There are several examples of universities that have been hit with multiple cyberattacks just because they did not reinforce their systems after a first or second attack. According to a 2021 threat intelligence report from Blue Voyant, in the U.S.:  

  • 64% of higher education respondents, equaling 410 higher education institutions, were hit by ransomware in 2021.  
  • 50% of those hit by ransomware paid a ransom, and among those that paid a ransom, doing so resulted in only restoring about 61% of their data.  
  • 100% of those hit by ransomware attacks reported that cyber insurance covered at least some of the resulting costs. 

Henry Stoever, President and CEO of the Association of Governing Boards of Universities and Colleges, may have said it best when noting more Boards of Trustees are now realizing that cyberattacks pose a truly serious risk to their institutions: 

“It can pose an existential threat to any organization – large or small, public or private,” he said. “If you cannot operate your business, if you can’t operate your college, then you may not be able to exist.”[1] 

 


[1] From Cyberattacks Pose ‘Existential Risk’ To Colleges – And Sealed One Small College’s Fate, Forbes.com 

0% helpful - 2 reviews