ITS Information Assurance (IA) had as its goal that 100,000 university community members would engage in a common action — use two-factor for Weblogin — by January 23, 2019. Faculty, physicians, staff, student employees, and sponsored affiliates on the Ann Arbor, Dearborn, and Flint campuses and in Michigan Medicine responded to the call — albeit with some persuasive and encouraging words. Over 106,000 individuals are now using two-factor.
Collectively breathing a sigh of relief when the time finally came, Michigan IT staff played an exceptional role in making the whole Duo thing happen. From attending meetings to integrating two-factor into systems and from talking it up with faculty and staff to providing support at every turn, IT staff did what it took.
How it all began
The overarching goal of the initial two-factor deployment and eventual expansion was the protection of institutional data and systems, as well as personal data. Two-factor authentication is particularly effective in reducing the risk of compromised accounts, and the threat from phishing attacks, which is the leading vector for external attackers — a threat that can be costly in terms of institutional time, reputation, and resources.
Duo arrived on campus in July 2016, when it replaced MTokens as U-M’s two-factor solution. That fall, the university launched the Your Password Needs a Partner: Turn on Two-Factor campaign to expand use beyond the more than 23,000 already using two-factor to access U-M systems that required it. By July 2018, the number of two-factor users had increased to 53,000, with U-M leading its higher education peers in push notifications, the most cost efficient method. Users were logging 75% of their authentications via the Duo Mobile app.
The time had come
U-M leaders decided in spring 2018 that all employees and sponsored affiliates needed to use Duo, a response in part to the fact that cyberattacks and online theft were increasing with such sophistication that the industry-wide, IT security standard had become two-factor authentication.
IA had several objectives in achieving its goal:
- Clearly communicate the benefits of using two-factor authentication in protecting university assets and personal information
- Engage with university users and stakeholders to determine challenges to using two-factor and assist them with making the transition
- Identify opportunities to improve the user experience with two-factor and implement those improvements where possible
- Review documentation and communications for any changes since the initial rollout two years earlier
- Identify opportunities for operational improvements and administrative enhancements
The team, the team, the team
ITS IA developed the Turn On Two-Factor for Weblogin campaign during summer 2018 to encourage the Ann Arbor campus and Michigan Medicine to begin using Duo. The plan was not to have everyone turn on two-factor by the deadline, but rather to get as many individuals as possible to use it early.
HITS IA took the lead by requiring that all Michigan Medicine employees and sponsored affiliates turn on two-factor by October 10. The School of Dentistry did the same, increasing the total users to 70,500. ITS Dearborn and ITS Flint joined the plan to go-live in 2019 alongside the Ann Arbor campus.
The ITS Duo@Weblogin Project Team met with unit IT representatives and an advisory group leading up to and throughout the campaign, which kicked off October 1. Resulting communications consisted of targeted emails to those who had not enrolled in Duo or turned it on for Weblogin, advertisements and articles in university publications, expanded help documentation and self-service videos, development of a U-M Duo set-up tool, a reminder banner and an interrupt screen on the Weblogin page, and a Duo dashboard for IT and unit leaders to track how their unit was doing.
Nearly 96,000 individuals — including those not required to do so — were using two-factor for Weblogin by the January 23 go-live date. That day 36 ITS Service Center staff and 15 ITS IA staff volunteers, as well as a complement of unit IT staff, UM-Dearborn ITS Service Desk staff, and UM-Flint ITS Helpdesk staff were on hand to answer questions and provide support to the remaining individuals for whom Duo would be turned on.
IT staff waited beginning at 7 a.m. for the tidal wave of calls, which manifested neither that day nor the days that followed. Apparently most employees were able to use the online materials to find the information they needed — how it should work.
The university will continue sharing useful information and tips with faculty, staff, and student employees, so they can become more adept at using two-factor in ways that might more accurately meet their individual needs. Meanwhile, many students who are not employees are using two-factor, which is giving way to discussions on how best to get all students to use Duo and by when. More on that later.
The majority of individuals still find having the Duo Mobile app on their smartphone or other mobile device to be the most convenient and flexible option. IT staff should remember when interacting with users that the mobile app may not work for everyone because of accessibility or financial reasons. Faculty and staff have the option of using basic cell phones or landlines, and hardware tokens and YubiKeys are available at no cost to the user. ITS IA, the ITS Service Center, and the Computer Showcase can provide additional information.
Once again, here’s to the university’s continued focus on increasing IT security and the Michigan IT community’s willingness to embrace the changes necessary to do so. Over 106,000 people — and the entire university — are reaping the benefits. Thank you!