Since the start of the COVID-19 pandemic, there has been a substantial rise in scams/phishing attacks preying on people’s fears about COVID-19. In the University sector this has been widespread and some institutions have faced damaging ransomware attacks as a result of compromised accounts.
We have been seeking guidance from external advisory boards and looking to best practice guidelines from the National Cyber Security Centre (NCSC). After careful consideration, we have decided to do a rapid deployment of Office365 Multi-Factor Authentication (MFA).
We’ve done several rounds of testing within Information Services teams and now have the whole of IS using MFA with very little incident.
We are now ready to deploy MFA more widely across the organisation and will be rolling this out in phases to staff and students in phases.
You will be contacted by the Information Centre when MFA is being switched on for you.
What is MFA?
Multi-factor Authentication (MFA) is an approach to online security that requires you to provide more than one type of authentication for a login or other transaction.
Also known as ‘Two-step Verification’, MFA adds an extra layer of protection to your account and is used on a regular basis for many online transactions such as banking, shopping, or PayPal.
MFA requires you to authenticate using:
Something you know: your username and password
Something you have: a trusted device, such as your mobile phone, on which to receive and respond to verification requests
Why are we introducing MFA?
Using MFA significantly increases the security of your account and therefore your data. By using MFA, it is much harder for hackers to do damage to our network when somebody gives up their account details by means of a scam email, as they’d need to be in possession of the authentication device also to access the phished account.
What does this mean in practice?
When you go to access any of the Office365 apps like Outlook, OneDrive, SharePoint, Teams, you will first be asked to login as usual and then provide verification in a second step using your mobile.
Normally you would login using your Microsoft credentials: email@example.com and your network password.
With MFA, there’s an additional screen which asks you to confirm the login on your trusted device. If you use the Microsoft Authenticator App, a wee pop up will appear on your mobile device asking you if you want to allow the login request. Simply click ‘Allow’ to get logged in. You can also set MFA up to text you a code which you would enter on logging in, or to phone you on a landline with a code to be entered on login.
You won’t have to login every time you access O365, you will be asked whether you want to stay logged in to O365 on successful authentication – if click yes, this will minimise the number of login requests you will receive.
How to get set up for MFA
The first time you encounter MFA (after doing your usual login to Office 365), you will see a screen ‘More information required’. Click ‘Next’ and follow the on screen instructions to set up MFA. Have your mobile device to hand. Detailed instructions with screenshots are available in the PDF attached to this UniDesk knowledge item: http://stir.ac.uk/36f
What happens next
We will get in touch with you via email when it is your turn to get set up with MFA. It is a good idea to download the Microsoft Authenticator App ahead of time so that you are ready.
We are likely to introduce MFA to the remote desktop gateway and the VPN in future. Both of these will use the same Microsoft authentication method and will significantly improve security on our remote services. Testing is currently being done on both services prior to roll out but we will not implement until after the whole staff is using O365 MFA. Rollout to the wider staff community is likely to be phased in order for the Info Centre to be able to handle enquiries. Rollout to students will not be undertaken until after the exam period.
If you need any help, please contact the Info Centre as usual. We will be building our FAQs for the wider University community as your questions come in, so please don’t be afraid to ask us any questions. http://stir.ac.uk/36f