Jessie Minton, Vice Provost for Information Services and Chief Information Officer, and Leo Howell, Chief Information Security Officer, sent the following message to UO faculty, staff, and graduate employees on May 20, 2020. You can also view the original graphic version of this message.
Subject: Enrollment in two-step login (Duo) required by July 29
Dear UO faculty, staff, and GEs,
With spring term nearly complete, we wanted to express our deep appreciation for everything you've done to teach, work, and persist through the disruptions caused by the COVID-19 (coronavirus) pandemic.
As part of our work to secure the university's systems and data, especially during this unusual time, we will be expanding UO's two-step login service in two important ways in the coming weeks. Action is required.
Key Points
- All UO faculty, staff, and GEs must enroll in two-step login (Duo) by July 29.
- The list of UO services protected by Duo will include UOmail and Office 365 starting June 3.
- Duo is quick and easy yet powerful.
- We encourage you to use your smartphone or tablet for Duo, at least temporarily.
- Learn more and get help in the UO Service Portal.
Protect Yourself, Protect the Flock
Enrolling your Duck ID account in two-step login protects not just you but also your students, colleagues, and the university as a whole.
Enroll in Duo now by following these brief instructions. While enrollment is voluntary at this time, the deadline for taking action is rapidly approaching.
Starting on July 29, you will be required to use Duo before you can log in to any protected UO services. All faculty, staff, and graduate employees must be enrolled by July 29.
Thousands of UO employees have already enrolled in Duo. Many thanks to those of you who are putting it to use!
Student employees can choose to enroll in Duo at this time but are not required to. Student enrollment in Duo will be addressed in a future phase of this project.
Increased Risk
As CIO Minton wrote in February, universities around the world, including the UO, were already high-priority targets for hackers before COVID-19. Cybercriminals try to steal credentials from UO faculty, staff, and students in hopes of gaining unauthorized access to UO systems that contain personal information, research data, and intellectual property.
Since the COVID-19 outbreak began, such attacks have only increased globally.
At the same time, the pandemic has made universities more vulnerable. The vast majority of UO students, faculty, and staff are now learning and working off campus, where it is more difficult for our institution to secure data that would typically be accessed through our campus networks.
Simple yet Powerful
Thankfully, two-step login blocks nearly 100% of attacks based on credential theft, according to research by Google and Microsoft.
At a time when everyone is adjusting to so many other changes, we're glad to report that two-step login with Duo Security is as simple as it is powerful. The university's IT staff, including both of us, have been using Duo for many months already and find it remarkably unobtrusive.
Most people will only have to do two-step login about once a week. Just use the "Remember me for 7 days" option. When your verification day comes, it's as simple as tapping a button in a mobile app, entering a code, or answering a telephone call, depending on what devices you've registered.
Currently, Duo applies to all UO websites that use Shibboleth single sign-on—the familiar "Login Required" screen we're accustomed to seeing in Canvas, Zoom, MyTrack, Concur, and elsewhere.
Starting on June 3, Duo will go into effect for Office 365 and UOmail. If you're already using Duo, you'll start receiving Duo prompts that day from UO Microsoft applications and services, including Word, Outlook, Teams, OneDrive, and others.
In the coming months, UO VPN and other services will follow.
Device Options
If you have a smartphone or tablet, we strongly encourage you to register it for Duo, at least temporarily.
In particular, we recommend using the Duo Mobile smartphone app from Duo Security because it provides a built-in backup option: you can generate mobile passcodes and write them down for later.
Although other device options exist, they're better suited to UO's normal campus operations, when many people have an office phone handy and it's easier for IT staff to distribute hardware tokens.
For those who are reluctant to use a personal device for two-step login on a routine basis, you can register your device once, then write down passcodes or request temporary emergency bypass codes. Once campus operations return to normal, you can register an alternative device and unregister your smartphone.
Getting Help
Because logging in is such a fundamental aspect of nearly everything we do at the university, some people may be concerned about how two-step login will impact them. The university and Information Services remain committed to working with IT staff throughout the UO to minimize any impacts and ensure a smooth rollout.
- Training videos, an FAQ, and other information about Duo are available in the UO Service Portal.
- If you need help enrolling in two-step login, contact the IT staff in your unit, if applicable, or the Technology Service Desk, or submit a help request through the two-step login support page in the UO Service Portal.
- Learn more about this project at is.uoregon.edu/uo-does-duo.
Together we can advance cybersecurity at the University of Oregon. Thank you for helping us achieve that goal.
Sincerely,
Jessie Minton
Vice Provost for Information Services and Chief Information Officer
Leo Howell
Chief Information Security Officer