Security upgrades to impact UMail, Microsoft users
Note: Please visit this UIT Knowledge Base article for detailed information about the security upgrades, including the impact to your devices, system requirements, and technical support.
Change may require campus and hospital users to reconfigure or obtain new devices, and log in to UMail and Microsoft apps with two-factor authentication
UIT will begin rolling out security upgrades to help prevent unauthorized access to university email accounts as a result of phishing schemes.
Starting in July 15, 2020, UIT’s Information Security Office (ISO) and Chief Technology Officer (CTO) organization will begin implementing Microsoft modern authentication and, in a phased approach, two-factor authentication (2FA) for UMail and university-licensed Microsoft applications.
Modern authentication, a Microsoft security protocol used by many organizations to help protect users' accounts, will be rolled out for all users on July 15, 2020. This change, affecting University of Utah and University of Utah Health staff, faculty, students, and affiliates, will require some users to reconfigure their computers and/or mobile devices in order to reconnect to UMail (detailed instructions will be provided soon). Users should carefully read the minimum requirements for supporting modern authentication to prepare for the change.
UMail Outlook Web Access (www.umail.utah.edu) will continue to be available via web browsers on mobile devices and computers. Pop-up email and calendar notifications, however, are not available with this method.
The security updates will eventually require all University of Utah and U of U Health faculty, staff, and affiliates, as well as students with access to restricted university data, to use 2FA to log in to those services.
2FA is a security enhancement that allows you to present two credentials (e.g., your password and a phone with an authentication app) when logging in to an account. 2FA makes it far more difficult for attackers to access your account or information if they somehow gain access to your password. The U’s current 2FA solution is Duo Security, or Duo 2FA.
The security update proposal was presented to numerous main campus and U of U Health committees, and was approved by the Strategic Information Technology Committee (SITC).
“The best security control that the university can implement to reduce the risk of compromised credentials is two-factor authentication for any service that contains sensitive or restricted data,” Enterprise Security Associate Director Jake Johansen said.
Although UIT blocks a majority of malicious or unsolicited inbound email, the ISO continually sees attempted and successful phishing attacks against U and U of U Health users, all of whom have some degree of sensitive data in their email accounts, Johansen said. Phishing is when an attacker attempts to acquire your password by impersonating a trusted and/or known source or organization, in the hopes of tricking you into accidentally providing your password, potentially leading to the attacker gaining unauthorized accessto your email account, information, and other resources protected by the same password.
No area — campus or hospital — is immune, Johansen said. Once compromised, credentials can be used in phishing attacks against other university members.
UIT will implement modern authentication and 2FA for UMail and Microsoft applications in two phases:
1. July 15, 2020: Modern authentication will be turned on for all users, including faculty, staff, students, affiliates and U of U Health personnel. Users with access to sensitive or restricted data will be required to begin using 2FA for UMail and all O365 applications, including Skype for Business and Teams.
2. Mid-September: All faculty and staff will be required to begin using 2FA for UMail and all O365 applications, including Skype for Business and Teams. Students who do not access sensitive or restricted data will not be required to use 2FA.
Johansen noted that the security enhancement isn’t new to the university, as employees have used Duo 2FA to access sensitive services (e.g., Campus Information Services, Canvas, Box) for a number of years. Like those resources, UMail and Microsoft app sessions will time out after 12 hours, requiring users to reauthenticate for continued access.
Users who have unusual work- or course-related reasons that 2FA for UMail would be untenable may request an exception from their cognizant dean or vice president. Anyone with access to sensitive and restricted data, such as PHI, is not eligible for an exception.
U of U Health personnel can find more information on the Pulse UMail and Office 365 apps Duo security upgrade page (authentication required).
For additional information, including instructions, please refer to this UIT Knowledge Base article. To receive the latest news about this project, please subscribe to UIT's public news service. Updates also will be published in At The U and communicated to the U community through multiple channels.
To learn more about Duo Security, the U’s two-factor authentication service, please refer to this Knowledge Base article.
For more Information Security Office (ISO) news and resources, please visit the ISO website.
For more additional help articles about Duo, phishing, and other security items, please visit the Security & 2FA category in the IT Knowledge Base.
If you cannot tell whether an email is legitimate, please forward it as an attachment to email@example.com or call your respective central help desk:
- Campus Help Desk: 801-581-4000, option 1
- Hospital Service Desk: 801-587-6000
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.