UChicago accelerates adoption of two-factor authentication

For higher education institutions, attempts to gain unauthorized access to systems and data by compromising the accounts of individual users is an increasing concern. To confront this issue, the University of Chicago is bolstering its information security program to protect academic, administrative and research data.

According to the 2017 Data Breach Investigations Report, 81 percent of hacking-related breaches leveraged either stolen or weak passwords. Two-factor authentication (2FA) is one of the security measures the University initiated to address this vulnerability.

Four years ago, 2FA was enabled for many of the University’s most frequently used online services and systems. Today, these 2FA-protected services include the Grants Management System (AURA), Workday, Canvas, Box, GSuite, the Academic Information System (AIS), and many others. Beginning this spring, all faculty and staff (including students who are employed by the University) must enroll in 2FA to access these online services and systems.

UChicago faculty and staff can use a smartphone to access services and systems protected by 2FA.

“The University is joining many of its peer institutions in requiring two-factor authentication as a means of further protecting personal and institutional information and data,” said Cole W. Camplese, associate vice president for information technology and chief information officer. “This has been an ongoing discussion with the Provost IT Committee, the IT Leadership Council, and the faculty-led Board of Computing Activities and Services, all of which felt accelerating 2FA adoption is an important and necessary step for the University.”

Many online services that individuals use in their everyday lives, such as those for banking, healthcare, and social media, offer 2FA for additional account security. 2FA strengthens security by requiring two methods (also referred to as factors) to verify your identity. A common example is how you protect your bank account with a pin number (something you know) and debit card (something you have) when you withdraw money from an ATM.

At UChicago, when a user logs in to any 2FA-protected service or system, they are prompted to verify their identity with a device of their choosing, such as a smartphone, tablet, or landline phone. This second level of verification prevents anyone else from accessing the user’s CNetID account to log into University services, even if they know the password.

“Two-factor authentication is the single most important step that anyone can take to protect their digital identity, providing a second layer of defense against phishing scams or password thefts,” said Leilani Lauger, executive director for information security and chief information security officer.

For faculty and staff not already using 2FA for their University account, it is easy to learn more and enroll at get2FA.uchicago.edu.