CIO and CISO Announce Two-Step Login (Duo) Enrollment Deadline for UO Faculty, Staff, and GEs

Jessie Minton, Vice Provost for Information Services and Chief Information Officer, and Leo Howell, Chief Information Security Officer, sent the following message to UO faculty, staff, and graduate employees on May 20, 2020:

Subject: Enrollment in two-step login (Duo) required by July 29

Dear UO faculty, staff, and GEs,

With spring term nearly complete, we wanted to express our deep appreciation for everything you've done to teach, work, and persist through the disruptions caused by the COVID-19 (coronavirus) pandemic.

As part of our work to secure the university's systems and data, especially during this unusual time, we will be expanding UO's two-step login service in two important ways in the coming weeks. Action is required.

Key Points

Protect Yourself, Protect the Flock

Enrolling your Duck ID account in two-step login protects not just you but also your students, colleagues, and the university as a whole.

Enroll in Duo now by following these brief instructions. While enrollment is voluntary at this time, the deadline for taking action is rapidly approaching.

Starting on July 29, you will be required to use Duo before you can log in to any protected UO services. All faculty, staff, and graduate employees must be enrolled by July 29.

Thousands of UO employees have already enrolled in Duo. Many thanks to those of you who are putting it to use!

Student employees can choose to enroll in Duo at this time but are not required to. Student enrollment in Duo will be addressed in a future phase of this project.

Increased Risk

As CIO Minton wrote in February, universities around the world, including the UO, were already high-priority targets for hackers before COVID-19. Cybercriminals try to steal credentials from UO faculty, staff, and students in hopes of gaining unauthorized access to UO systems that contain personal information, research data, and intellectual property.

Since the COVID-19 outbreak began, such attacks have only increased globally.

At the same time, the pandemic has made universities more vulnerable. The vast majority of UO students, faculty, and staff are now learning and working off campus, where it is more difficult for our institution to secure data that would typically be accessed through our campus networks.

Simple yet Powerful

Thankfully, two-step login blocks nearly 100% of attacks based on credential theft, according to research by Google and Microsoft.

At a time when everyone is adjusting to so many other changes, we're glad to report that two-step login with Duo Security is as simple as it is powerful. The university's IT staff, including both of us, have been using Duo for many months already and find it remarkably unobtrusive.

Most people will only have to do two-step login about once a week. Just use the "Remember me for 7 days" option. When your verification day comes, it's as simple as tapping a button in a mobile app, entering a code, or answering a telephone call, depending on what devices you've registered.

Currently, Duo applies to all UO websites that use Shibboleth single sign-on—the familiar "Login Required" screen we're accustomed to seeing in Canvas, Zoom, MyTrack, Concur, and elsewhere.

Starting on June 3, Duo will go into effect for Office 365 and UOmail. If you're already using Duo, you'll start receiving Duo prompts that day from UO Microsoft applications and services, including Word, Outlook, Teams, OneDrive, and others.

In the coming months, UO VPN and other services will follow.

Device Options

If you have a smartphone or tablet, we strongly encourage you to register it for Duo, at least temporarily.

In particular, we recommend using the Duo Mobile smartphone app from Duo Security because it provides a built-in backup option: you can generate mobile passcodes and write them down for later.

Although other device options exist, they're better suited to UO's normal campus operations, when many people have an office phone handy and it's easier for IT staff to distribute hardware tokens.

For those who are reluctant to use a personal device for two-step login on a routine basis, you can register your device once, then write down passcodes or request temporary emergency bypass codes. Once campus operations return to normal, you can register an alternative device and unregister your smartphone.

Getting Help

Because logging in is such a fundamental aspect of nearly everything we do at the university, some people may be concerned about how two-step login will impact them. The university and Information Services remain committed to working with IT staff throughout the UO to minimize any impacts and ensure a smooth rollout.

Together we can advance cybersecurity at the University of Oregon. Thank you for helping us achieve that goal.

Sincerely,

Jessie Minton
Vice Provost for Information Services and Chief Information Officer

Leo Howell
Chief Information Security Officer