On May 18, UT faculty and staff received an email notifying them of account security reminders, including password changes, two-step authentication, and updating personal information.
Matthew Junod, information security officer and author of the email, explained the challenge of sending out IT-related messages.
“The University has seen a sharp increase in attacks against our student and employee accounts — and the bad guys work around the clock to try to get in by any means they can find,” Junod said. “We recently sent out a reminder to all of our employees to sign up [for two-step authentication] because we believe that this is a vital step to protecting their online identity.”
Put simply, two-step authentication helps to protect sensitive employee information from unauthorized access by requiring an access code sent by voice call or text.
“The two-step authentication system was deployed nearly two years ago to help limit the damage from users supplying passwords in response to phishing emails and websites, but approximately 20 percent of our employees had yet to enroll, meaning that if a hacker got their UTAD credentials, the hacker could access the user’s tax information, personal information or direct deposit, and even make changes,” Junod explained. “Many of our peers in our area, including BGSU and others in state, have also been using this technology to protect their own users, and we believe this is something that most folks expect as an available feature for their most important accounts.”
Employees can register for two-step authentication by logging into their myUT web portal and opening one of the pages protected by the service, including Update Addresses & Phone and Direct Deposit Information.
With more IT updates on the way, Junod shared useful tips for protecting personal information and identifying fraudulent messages:
• IT security does not generally include links within its messages unless announced in advance.
• Messages from IT are usually informational and do not require immediate action.
• IT links always point to a UT website (utoledo.edu) and not an outside website.
• Messages sent from the IT security team are usually digitally signed, which some email clients like Outlook will automatically verify as legitimate. UT webmail, unfortunately, does not validate signatures without a browser plugin.
• Any time someone suspects that a message is not legitimate, he or she can forward it to firstname.lastname@example.org for IT to investigate.