The University of Oregon will take a significant step forward in its cybersecurity defenses on Nov. 20 when about 1,500 faculty and staff members start using two-step login.
Two-step login — also known as two-factor authentication, 2FA, two-step verification or multifactor authentication — adds a powerful extra layer of security to any login process. After entering a username and password, the user must also tap a button in a mobile app, enter a code or answer a telephone call.
"Even if a cybercriminal stole your password, two-step login would make it really hard for them to actually use your account," said Leo Howell, chief information security officer. "Data show that two-step login can prevent an estimated 98 percent of data breaches resulting from password theft. This protects you and it protects the university," Howell said.
As announced in July, Information Services plans to launch two-step login for all UO staff and faculty members during this academic year. The phased campus rollout starts with employees who have access to high-risk data, and specifically with users of UO's Banner system.
About 1,500 faculty and staff members, including student employees, use Banner to perform fundamental processes such as scheduling classes, entering grades, creating invoices and issuing paychecks.
Starting on Nov. 20, Banner users will be required to do two-step login, not just to access Banner but also to access many other campus services that require a Duck ID and password, such as Canvas, MyTrack, Concur, the UO Service Portal and others.
"When we turn on two-step login for you, you'll start using it everywhere you see that green-and-yellow 'Login Required' screen," said Patrick Chinn, associate chief information officer for customer experience. "You may know that login page as Shibboleth or single sign-on."
For UO's two-step login service, the university is partnering with Duo Security. People first register a mobile phone, tablet, desk phone or small hardware token. After two-step login goes into effect, Duo will prompt the user during the login process to confirm their identity using the device they've registered.
"Luckily, two-step login only takes a few seconds, and for most services, you only have to do it once a week," Chinn said. "I started using it myself in February when IT staff were being enrolled and I was happy to see how quick and easy it is."
Other UO staff and faculty members will be required to start using two-step login in the coming months. Information Services will share more information as plans for remaining phases of the rollout are finalized.
"Many other universities are already using two-step login," Howell said. "We're glad to be taking this step for the University of Oregon now."
Other than student employees who use Banner, students are not included in plans for the current rollout.
Information Services has published an FAQ article with answers to common questions about two-step login.
Banner users seeking help can contact the IT staff in their respective areas, if applicable, or contact the Technology Service Desk by phone at 541-346-4357, in person in Room 68, Prince Lucien Campbell Hall or through the UO Service Portal.
Other employees with questions about two-step login should contact the project team at firstname.lastname@example.org.
—By Nancy Novitski, University Communications