You are here: American University Information Technology Multifactor Authentication

Improving Account Security Use Multi-Factor Authentication and strong passwords to secure your data

American University will be taking steps to improve our security posture for email services, by requiring use of Multi-Factor Authentication (MFA) on both Outlook (Faculty and Staff) and Gmail (Students). You may be accustomed to using Duo or Two-Step Verification as part of your experience authenticating to various platforms, including the VPN.

Starting June 25, 2021, OIT began encouraging all users to opt-in to apply Duo MFA to their Office 365 accounts, adding an additional layer of security to email and Office 365 applications. This security standard will eventually become mandatory for all users and will prevent unauthorized access to email and data.

OIT will also be retiring the 90 day/8 character password policy, requiring that all users utilize the 1 year/16 character passphrase policy.

Individuals who want to proactively meet our account security goals can follow the steps below.

Required Steps

All Users

  1. If your password expires every 90 days, update it to use the 16 Character password policy in the myAU portal

Faculty and Staff

  1. Enroll your mobile device to use the Duo Multi-Factor App
    • Click to view the instructions for enrolling your smartphone in Duo.
    • Skip to Step 2 if you have already enrolled your smartphone to access the AU VPN or other services.
       
  2. Add Multifactor (DUO) to your Office 365 account
    • Complete the form to opt-in to using MFA with your Office 365 account.
    • Then, review what to expect for your email client.

MFA Rollout Plan See what progress AU is making towards MFA

OIT will be taking a phased approach in communicating how to work through the outlined steps above, with the goal of elevating the security posture among all members of the AU community. For more information on how and when you can expect your group to be impacted, see the details below.

Starting in June, staff will receive a series of communications instructing them to review related materials and opt-in for Duo MFA on Office 365. 

Effective September 30, 2021, we will require that all staff enable and utilize Multi-Factor Authentication to authenticate to your AU email account and Office 365 applications. 

Start communication campaign on 10/1/2021; prior to start of Faculty enrollment campaign, make decision to make MFA required, using Duo, effective on a date ranging between 11/18/2021 and 2/24/2022

Phase 3 is expected to being in February 2022. Because student email and data is contained in Google, students should expect to use Google's proprietary 2-Step Verification (2SV). This will not require the use of Duo.

Learn more about Google's 2SV.

In anticipation of Microsoft's intention to sunset Legacy Authentication and to mitigate potential exploitation within our own architecture, Legacy Authentication protocols such as IMAP and POP3 have been disabled by OIT.

Frequently Asked Questions

  1. Why do we need two-factor authentication?

    Login credentials are more valuable than ever and are increasingly easy to compromise. Over 90% of breaches today involve compromised usernames and passwords. Two-factor authentication enhances the security of your account by using a secondary device to verify your identity. This prevents anyone but you from accessing your account, even if they know your password. Enabling two-factor authentication for O365 dramatically reduces the chance that someone can access or send unauthorized messages from your email account, or access documents and other data stored in your OneDrive.
  2. Why do we need stronger passwords?

    Industry password guidance points to password length as a better metric for security than password complexity (e.g., combinations of upper, lower case, numbers, and special characters). Many staff and faculty are already onboard with the 16-character minimum, but there are still some users that will need to be switched to adopt best practices. By adopting the 16-character policy, (which simply calls for longer, less complex, passwords) users can author passwords that are more memorable, can be retained longer, and are above all, harder to “crack”.