University Times

Multifactor authentication protects your personal information

The University began offering multifactor authentication to address the increasing risks from phishing scams and malicious software. Multifactor authentication provides an essential layer of security that safeguards your personal information and University data should you fall victim to a phishing scam or in some other way have your password compromised.

Beginning March 5, multifactor authentication will be required for all services that faculty and staff access through the University’s single sign-on service, Pitt Passport, and when using the Secure Remote Access service to connect to University resources.

The sophistication of phishing scams has increased dramatically. The University’s security software prohibits 90 percent of the phishing scams and malicious software from reaching the University community, but of those that get through, there usually are several individuals who will be fooled into clicking on a link or providing account information. According to the 2016 Verizon Data Breach Investigations Report, 30 percent of phishing messages were opened nationwide, and 12 percent of malicious attachments and links were opened. Our records show that the University’s results are consistent with these percentages.

These threats pose an immediate risk to your personal information and the security of University data. Through the efforts of our security team, we identify and routinely intervene to prevent damage or exposure of data, but as the threats escalate, a more robust solution is required.

Why multifactor authentication?

Hackers are constantly searching for ways to compromise your password. If your password is guessed, hacked, stolen or shared with someone, it can have serious consequences — for you and the University.

The University has put in place a robust array of security measures to protect you, including enterprise network firewalls, required password changes, advanced email threat protection, phishing education programs and the Pitt Passport single sign-on service. These protections play an important role in the University’s layered approach to security, but they can be thwarted once your password has been compromised.

Multifactor authentication is an additional layer of security designed to prevent unauthorized access to University information and data, including confidential retirement account details, pay statements or direct deposit information.

The University’s multifactor authentication solution, provided by Duo Mobile, means that to log in to a service, you will need two “factors”: something you know (like your password) and something only you have (like your mobile phone, on which you will receive a login confirmation notice).

How does it work?

Protecting yourself with multifactor authentication begins with registering a device, such as a smartphone or tablet, at accounts.pitt.edu. You only need to do this once. Click the Add/Manage Pitt Passport Devices link and complete the brief registration. If you register a mobile device, you also will be prompted to install the Duo Mobile app. Once your device is registered, it’s a good idea to register a second device — such as your office phone — so you have a backup in case you don’t have access to your smartphone.

Next, you will click the Secure Pitt Passport Services link at accounts.pitt.edu and select the option to enable multifactor authentication for all Pitt Passport services. After March 5, you will no longer need to complete this step because multifactor authentication will be enabled by default.

Now you are protected by multifactor authentication. The next time you log in to a University service that utilizes the secure Pitt Passport login page, you will be prompted to verify your identity with multifactor authentication. You can do so in one of three ways:

• “Send me a push” will send a notification to your smartphone or tablet. Just tap Accept and you will be logged in. (If you ever receive a login request that you were not expecting, tap Deny and report it to the Technology Help Desk right away.)

• “Call me” will dial your phone and play a recorded message. Press 1 to complete the login process.

• “Enter a passcode” will prompt you to enter a passcode that has been sent to your phone. This code can be sent to you as a text message or generated using the Duo Mobile app. A bypass code also can be provided by the Technology Help Desk.

You can start today

Don’t wait until March 5 to take advantage of the added protection multifactor authentication provides. The step-by-step instructions at http://technology.pitt.edu/multifactor will get you up and running immediately. Keep in mind that if you do not register a device for multifactor authentication in advance, you will need to complete the registration process in order to access any service through Pitt Passport beginning March 5.

Once you start using multifactor authentication you’ll see how quick and easy it is. For example, you can choose to automatically receive a push notification on your phone whenever you log in. All you have to do is tap Accept.

The cybersecurity landscape is constantly evolving and new threats are always emerging. The good news is that Pitt’s defenses against security threats are evolving, too. ν

Sean Sweeney is the University’s chief information security officer. He can be reached at 412-624-5595 or sweeney2@pitt.edu.