15 percent Staff MFA O365 Enrollment
Because Multi-Factor Authentication is inherently a multi-step login process, it requires that the corresponding platform be setup with a more advanced or "modern" authentication method. MFA is therefore incompatible with platforms that use "Legacy Authentication", ie. login pages that are only capable of asking for just a username and password.
To apply MFA to our email platform, and to make it an effective security measure, OIT has retired the incompatible (albeit well-known) legacy authentication methods such as IMAP and POP3. These older authentication methods are well known entrypoints for malicious actors.
OIT announces via email "Upcoming Changes to AU Email Services and Passwords" with two stated goals:
- Effective September 30, 2021, we will require that all staff enable and utilize Multi-Factor Authentication to authenticate to your AU email account (Outlook and Office 365 applications).
- We will retire the 90-day/8-character password policy, so users with 8-character passwords will need to change their password to utilize the more secure 365-day/16-character password policy.
Option for selecting the 90 Day/8 Character password policy is removed from the myAU portal. Users are only able to subscribe to the 1 Year/16 Character passphrase.
All staff are required to utilize MFA to authenticate to Office 365 and O365 applications.
- Why do we need two-factor authentication?
Login credentials are more valuable than ever and are increasingly easy to compromise. Over 90% of breaches today involve compromised usernames and passwords. Two-factor authentication enhances the security of your account by using a secondary device to verify your identity. This prevents anyone but you from accessing your account, even if they know your password. Enabling two-factor authentication for O365 dramatically reduces the chance that someone can access or send unauthorized messages from your email account, or access documents and other data stored in your OneDrive.
- Why do we need stronger passwords?
Industry password guidance points to password length as a better metric for security than password complexity (e.g., combinations of upper, lower case, numbers, and special characters). Many staff and faculty are already onboard with the 16-character minimum, but there are still some users that will need to be switched to adopt best practices. By adopting the 16-character policy, (which simply calls for longer, less complex, passwords) users can author passwords that are more memorable, can be retained longer, and are above all, harder to “crack”.