Multi-Factor Authentication (MFA) Instructions
Get more information about all the latest CBU events, including WebEx and Zoom links, at www.cbu.edu/events. See you there!
Multi-Factor Authentication (MFA) Expansion
Purpose
The Christian Brothers University ITS team is implementing Multi-Factor Authentication to supply reliable security for all faculty and staff working at CBU. This is to offset increasing the increasing risk of phishing attempts and fraudulent activity in our increasingly digital environment.
MFA
Multi-Factor Authentication, or MFA, is a method of authentication where a user is prompted for an additional piece of information or “factor” that only they possess, in addition to their normal username and password. Examples of factors implemented by MFA include: acknowledging a “push” notification in a mobile application, a code sent via text message to a user’s mobile device, acknowledging a call on a separate phone number, or an access code number generated by another application. ITS has currently enabled MFA support for any resource connected to Office 365.
As the potential risks from malware, ransomware, and phishing attempts are on the rise, it is vital to secure the protection of sensitive information. The sole protection of data through authentication by username and password has quickly become ineffective, requiring additional security through the implementation of MFA. MFA safeguards against these threats by ensuring that an attacker is still unable to gain access to protected resources without possession of the additional factor.
Account Security Overview
As an increasing number of businesses and users are targeted by hackers; account security has never been more important. Password management has always been a weak point in systems that rely solely on a knowledge-based authentication factor (something you know). Passwords are reused across multiple systems, making all accounts vulnerable when a reused password is leaked.
When all is said and done, passwords are simply no longer reliable as the sole method of authentication to sensitive systems. A better security option is having two (or more) factors needed before gaining access to an account. These come from different categories:
- Something you know (password)
- Something you have (phone)
- Something you are (biometric, such as a thumbprint)
Risks
Members of the ITS team have identified multiple risks related to social engineering and compromised user credentials. In the table below are three examples of the possible risks and their potential impact explained, each of which can be mitigated by use of an MFA solution.
| THREAT | IMPACT |
|---|---|
| Financial Access: A user with access to financial records has their account compromised due to malware on their system or series of email phishing attempts. The attacker is then able to transfer funds through a wire transfer now they have access to the user account. Impact: Potential trigger of state breach notification, loss of funds, negative publicity, and damage to reputation potentially impacting student retention, student recruitment, and research grants. | High |
| Confidential Data Release: A user account with access to personally identifiable information is compromised through email phishing. The attacker now uses the account to access personally identifiable information of multiple students or faculty members en masse or steal intellectual property. Impact: Trigger of state breach notification, compensation/fraud monitoring for impacted individuals, negative publicity, lost market opportunity, and damage to reputation potentially impacting student retention, student recruitment, and research grants. | High |
| Account Escalation: A typical user account without access to personally identifiable information is breached through social engineering. This account is then used by the attacker to send scam emails or phishing attempts to other accounts within the CBU network. As a result, the attempts will bypass any external filtering and increase the chance of other accounts being compromised. Impact: Trigger of state breach notification, disruption of University day-to-day functioning, negative publicity, and damage to reputation potentially impacting student retention, student recruitment, and research grants. | Medium |
Recommendations
Given the threats identified above and the risk they represent to the University, the ITS team has implemented a policy that all regular employees, defined as all faculty, staff, and adjuncts will be required to use MFA.
Implementation
MFA: All regular employees will have a voluntary period to enroll in MFA. If the employee does not enroll within the opt-in period, their account will automatically be enrolled in MFA and they will not be able to login to Office 365 until they complete MFA enrollment. ITS reserves the right to grant exceptions to the opt-in window depending upon the situation.
Timeline: ITS announced both required programs in October 2021. MFA will be required for all new hires beginning in October 2021 and for all existing employees by mid-November 2021.
MFA SIGN-UP INSTRUCTIONS
