The Wayne State University campus community has seen a surge of phishing attacks, or malicious emails, lately. These scams range from threatening account closure, offering too good to be true part-time jobs, and most notoriously, pretending to sell baby grand pianos in an attempt to scam our community out of hard-earned money.

To improve the security of our systems and data, Computing and Information Technology (C&IT) is introducing multi-factor authentication for all Microsoft Office 365 applications, including email. The added login step will be slowly rolled out to university accounts in phases beginning on Nov. 17 and through the end of 2021.

Two-factor authentication protects accounts by requiring a second form of login to verify user identity. Wayne State students, faculty, staff, and affiliates already use Duo Security two-factor authentication to access secure resources in Academica and to connect to the VPN—that won’t change. Microsoft multi-factor authentication functions similarly and offers a second level of verification through a variety of means, including text, call, or the Authenticator mobile app.

Unlike the two-factor authentication we use to protect sensitive personal information in Banner, which is used every time a user accesses certain resources in Academica, Authenticator remembers your device for up to 90 days—which means fewer prompts to disrupt learning and working. Similarly, users accessing their accounts on campus with a secure Wayne State internet connection (WSU-SECURE) or off-campus with the VPN, will not have to use authenticator because these resources already require additional login steps.

Large educational institutions, like Wayne State, are responsible for maintaining equally large amounts of data related to student education, research, and even sensitive employee information that is desirable to criminals. Whether they are trying to attack our servers or steal your banking or tax return information, Wayne State systems are a target and the easiest way to gain entry to is to steal access from someone who already has it. That’s where phishing emails come in. While our security office works constantly to enforce firewall rules and other blockades, just like a virus can mutate, scammers are always evolving to break past our defenses.

This ever-growing sophistication of attacks is one of the biggest challenges in cyber security. Attackers are constantly finding new ways to obtain access to user credentials, which has made using a password alone for authentication nearly obsolete. Access to an unknowing user's account can be used for many nefarious activities, including abusing access to data and IT systems that are granted to original users for legitimate reasons. We are most recently seeing this in the form of scam emails disguised to be from Wayne State users.

“Multi-factor authentication will drastically reduce these threats,” said C&IT Senior Director of Information Security and Compliance Garrett McManaway. “Even if the bad guys are able to trick someone into giving away their password, Authenticator will provide a second prompt that is not easily stolen, and the legitimate account owner will remain protected as they are the only one with both pieces of information required to log in.”

Even with these tools in place, it is still important to remain vigilant, be able to recognize scams, and report them to our security office. Similarly, it is important to never approve a two-factor prompt that you did not request yourself.

Microsoft Authenticator Implementation Timeline

Learn more about two-factor authentication at Wayne State at tech.wayne.edu/2fa.