Two-factor authentication to protect email and Microsoft services on campus

Illustration of Duo two-factor authentication

Colorado State University faculty, staff and students will soon have an extra layer of protection between their personal data and malicious hackers as CSU rolls out two-factor authentication for email access.

Attacks on sensitive institutional data and personally identifiable information at universities across the country have risen sharply over the past year, with one of the most recent data breached announced by the University of Colorado in early February. Such attacks can shut down a campus for days while vital systems are locked down and data restored.

To strengthen the security of CSU’s critical online infrastructure, Central IT is expanding the existing DUO authentication for access to the university computer network to include Office 365 services and email.

“Since the beginning of the COVID-19 pandemic, attackers have increased their targeting of higher education and home workers,” said Steve Lovaas, security officer for the CSU System. “Phishing and other kinds of online fraud are up over 600% in the past year, with email representing the most common vector for damaging attacks. The university, our systems, and all of our personal data are at risk.”

Access with trusted device

Anyone logging into the CSU network through the Pulse VPN from locations off campus has been required to use the DUO two-factor authentication for access since April 2018. With so many faculty and staff teaching and working remotely for the past year due to the pandemic, nearly 95% of CSU employees have already registered a trusted device with DUO for secure network access.

Anyone who has a device registered with DUO will automatically receive email protection on June 1. Once you authenticate your account the first time, you won’t be asked to do it again unless you log in from a different computer, use a different internet browser, or change your CSU password.

Anyone without DUO already set up on June 1 will not be protected automatically, but you can add DUO protection to your email at any time.  This fall, you will be required to use DUO to access Office 365 email.

“DUO for two-factor authentication is an easy and increasingly familiar tool for reducing the most common and dangerous attacks,” Lovaas explained. “Extending that protection to email will be only a small change for most users, but it will have a significant effect on the safety of the CSU community.”

The majority of the CSU community already using two-factor authentication have registered the DUO mobile app on their mobile phones. To ensure continued access to email, ACNS recommends registering an additional device, such as an office or home phone, a hardware token available from Ram Tech, or a trusted individual’s phone number.

“If you lose, misplace, or simply forget your mobile device, or change your mobile service, having a second registered device will save the day,” Lovaas said.

More information available at the ACNS website.