SPU Moves to Azure MFA
As part of our ongoing efforts to better protect campus and reduce administrative costs, CIS has licensed Microsoft's Azure Multi-Factor Authentication (MFA) for all current Duo 2FA users and all Students at a lower cost than our current Employee-only coverage through Duo.
Extending this service to campus is both a best practice and will greatly reduce the number of compromised SPU student accounts, consequently decreasing the number of phishing emails sent to others from within the SPU community.
Migration Timeline
- Pilot (Jan-Apr): CIS staff and several dozen pilot-users from around campus have already migrated to Azure MFA and have been using it to login to campus systems since as early as January 2022.
- Current User Opt-in (April 18): Starting today all current Duo Users are eligible to migrate to Azure MFA at a time convenient to them.
Instructions on how to enroll can be found here: Enrolling In Azure MFA.
- Current User Migration Deadlines (April 25-May 27): Starting next week all users that have not yet migrated will begin to be placed in a phased migration cohort. Each cohort will have two weeks to migrate before being required to do so. As soon as you are placed in a cohort you will begin to see a notification reminding you of your deadline for migrating each time you log in to an online SPU system.
- Current & Incoming Students (Summer/Fall 2022): Migration of the general student body will begin as an opt-in process around the start of Summer Quarter (for all current and incoming students) and we aim to conclude setup of all students in the weeks following the start of Fall Quarter. Many current students will already have this protection by virtue of being a Student Employee.
- Alumni and other populations (Summer/Fall 2022): Migration of other accounts to Azure MFA will take place during Summer and Fall, with all accounts being migrated prior to the end of 2022.
Azure Multi-Factor Authentication (MFA)
Multi-factor authentication has been in use at SPU since 2018 and adds the requirement of having "something you have" (e.g.: a registered phone), in addition to "something you know" (e.g.: SPU username and password) in order to login to your SPU account. This added layer of protection ensures that even if an account credential is compromised, a malicious actor cannot gain access to your SPU account without both authentication factors, and your access to sensitive student data as well as any personal data is safeguarded. Since rolling this service out to campus employees, we've had zero compromised accounts among those users.
Azure MFA is the MFA service offered by Microsoft and is part of our ongoing campus license to Microsoft 365 online services. By tying our MFA provider in with our campus licensing, we are able to provide this protection to all campus user accounts and reduce the number of systems SPU uses.
The primary authentication method recommended is the Authenticator App available on Android and Apple devices. This simple app allows you easily authenticate a login by pushing a notification to your device each time you log in to an SPU service from a new device or internet browser.
Podium Retirement
Effective this morning, the "podium" login account has been retired from use at SPU. This was an account primarily used by external and conference guests to present content on SPU-managed devices, but some employees have used it for non-sensitive tasks on SPU-managed devices as well. With the advent of Azure MFA, use of this account (in conjunction with accessing SPU services) could result in a security hole for that user's account. As such, this account needs to be officially retired. If you are aware of any user that previously used this account, please let them know that they will need to login with their SPU credential on all campus systems. If you are working with an external group that needs access to an SPU-managed workstation, please contact the CIS HelpDesk for assistance.