Increased Risk
As CIO Minton wrote in February, universities around the world, including the UO, were already high-priority targets for hackers before COVID-19. Cybercriminals try to steal credentials from UO faculty, staff, and students in hopes of gaining unauthorized access to UO systems that contain personal information, research data, and intellectual property.
Since the COVID-19 outbreak began, such attacks have only increased globally.
At the same time, the pandemic has made universities more vulnerable. The vast majority of UO students, faculty, and staff are now learning and working off campus, where it is more difficult for our institution to secure data that would typically be accessed through our campus networks.
Simple yet Powerful
Thankfully, two-step login blocks nearly 100% of attacks based on credential theft, according to research by Google and Microsoft.
At a time when everyone is adjusting to so many other changes, we're glad to report that two-step login with Duo Security is as simple as it is powerful. The university's IT staff, including both of us, have been using Duo for many months already and find it remarkably unobtrusive.
Most people will only have to do two-step login about once a week. Just use the "Remember me for 7 days" option. When your verification day comes, it's as simple as tapping a button in a mobile app, entering a code, or answering a telephone call, depending on what devices you've registered.
Currently, Duo applies to all UO websites that use Shibboleth single sign-on—the familiar "Login Required" screen we're accustomed to seeing in Canvas, Zoom, MyTrack, Concur, and elsewhere.
In the coming months, UO VPN and other services will follow.
Device Options
If you have a smartphone or tablet, we strongly encourage you to register it for Duo, at least temporarily.
Although other device options exist, they're better suited to UO's normal campus operations, when many people have an office phone handy and it's easier for IT staff to distribute hardware tokens.
For those who are reluctant to use a personal device for two-step login on a routine basis, you can register your device once, then write down passcodes or request temporary emergency bypass codes. Once campus operations return to normal, you can register an alternative device and unregister your smartphone.
Getting Help
Because logging in is such a fundamental aspect of nearly everything we do at the university, some people may be concerned about how two-step login will impact them. The university and Information Services remain committed to working with IT staff throughout the UO to minimize any impacts and ensure a smooth rollout.
Together we can advance cybersecurity at the University of Oregon. Thank you for helping us achieve that goal.
Sincerely,
Jessie Minton
Vice Provost for Information Services and Chief Information Officer
Leo Howell
Chief Information Security Officer