You are here: American University Information Technology IT Security Multifactor Authentication

Improving Account Security Use Multi-Factor Authentication and strong passwords to secure your data

American University will be taking steps to improve our security posture for email services, by requiring use of Multi-Factor Authentication (MFA) on both Outlook (Faculty and Staff) and Gmail (Students). You may be accustomed to using Duo or Two-Step Verification as part of your experience authenticating to various platforms, including the VPN.

Starting June 25, 2021, OIT began encouraging all users to opt-in to apply Duo MFA to their Office 365 accounts, adding an additional layer of security to email and Office 365 applications. This security standard will eventually become mandatory for all users and will prevent unauthorized access to email and data.

OIT will also be retiring the 90 day/8 character password policy, requiring that all users utilize the 1 year/16 character passphrase policy.

Individuals who want to proactively meet our account security goals can follow the steps below.

An Introduction to Duo Security

00:01:17

Two-factor authentication adds a second layer of security to your logins. Verifying your identity using a second factor (like your phone or other mobile device) prevents anyone but you from logging in, even if they know your password.

Required Steps

All Users

  1. If your password expires every 90 days, update it to use the 16 Character password policy in the myAU portal

Faculty and Staff

  1. Enroll your mobile device to use the Duo Multi-Factor App
    • Click to view the instructions for enrolling your smartphone in Duo.
    • Skip to Step 2 if you have already enrolled your smartphone to access the AU VPN or other services.
       
  2. Add Multifactor (DUO) to your Office 365 account
    • Complete the form to opt-in to using MFA with your Office 365 account.
    • Then, review what to expect for your email client.

Popular Topics

MFA Rollout Plan See what progress AU is making towards MFA

OIT will be taking a phased approach in communicating how to work through the outlined steps above, with the goal of elevating the security posture among all members of the AU community. For more information on how and when you can expect your group to be impacted, see the details below.

Starting in June, staff will receive a series of communications instructing them to review related materials and opt-in for Duo MFA on Office 365. 

Effective September 30, 2021, we will require that all staff enable and utilize Multi-Factor Authentication to authenticate to your AU email account and Office 365 applications. 

38 percent Staff MFA O365 Enrollment

Because Multi-Factor Authentication is inherently a multi-step login process, it requires that the corresponding platform be setup with a more advanced or "modern" authentication method. MFA is therefore incompatible with platforms that use "Legacy Authentication", ie. login pages that are only capable of asking for just a username and password.

To apply MFA to our email platform, and to make it an effective security measure, OIT has retired the incompatible (albeit well-known) legacy authentication methods such as IMAP and POP3. These older authentication methods are well known entrypoints for malicious actors.

OIT announces via email "Upcoming Changes to AU Email Services and Passwords" with two stated goals:

  1. Effective September 30, 2021, we will require that all staff enable and utilize Multi-Factor Authentication to authenticate to your AU email account (Outlook and Office 365 applications). 
  2. We will retire the 90-day/8-character password policy, so users with 8-character passwords will need to change their password to utilize the more secure 365-day/16-character password policy. 

Frequently Asked Questions

  1. Why do we need two-factor authentication?

    Login credentials are more valuable than ever and are increasingly easy to compromise. Over 90% of breaches today involve compromised usernames and passwords. Two-factor authentication enhances the security of your account by using a secondary device to verify your identity. This prevents anyone but you from accessing your account, even if they know your password. Enabling two-factor authentication for O365 dramatically reduces the chance that someone can access or send unauthorized messages from your email account, or access documents and other data stored in your OneDrive.
  2. Why do we need stronger passwords?

    Industry password guidance points to password length as a better metric for security than password complexity (e.g., combinations of upper, lower case, numbers, and special characters). Many staff and faculty are already onboard with the 16-character minimum, but there are still some users that will need to be switched to adopt best practices. By adopting the 16-character policy, (which simply calls for longer, less complex, passwords) users can author passwords that are more memorable, can be retained longer, and are above all, harder to “crack”.
  3. Will this impact my ability to view or send AU email through a third party mail client or platform like Thunderbird or Gmail?

    Yes. It will be dependent on the email client, however. With IMAP and POP3 disabled, the third party email client will need to use another method to connect to your email, and specifically one that is capable of soliciting the multiple inputs required by Duo. Compatible email clients are most likely those that readily provide explicit options for connecting to an O365 account (not ones that require you to input manual server settings). As examples, Thunderbird and Gmail do not currently offer this. Apple Mail and Windows Mail do, however.
  4. I thought I already did my MFA enrollment a long time ago. How is this different?

    Prior to communicating this new security standard, much of the AU community has already been using Duo to authenticate to select AU platforms like the VPN or Virtual Apps, as examples. Your Office 365 account, however, hasn't previously been safeguarded with MFA. The goal of this current effort is to expand utilization of MFA to include your Office 365 account (ie. email, OneDrive, etc.). In this case, there are potential impacts to email delivery, though following the provided instructions will reduce/eliminate disruptions.
  5. How do I know if I've opted in already?

    Faculty and staff can tell if they've fulfilled the requirements by navigating to webmail, mail.american.edu. Users who have sucessfully enrolled in MFA on O365 will receive the prompt for Duo's secondary authentication after providing their regular login credentials. If you are not prompted for secondary authentication, you have not completed the steps required.
  6. Is my phone/computer compatible with MFA?

    Users should have two areas of concern around compatibility. To have a fully compatible experience, A. your phone needs to be able to run Duo Mobile, and B. your email client needs to be capable of prompting for Duo during the authentication process. See the corresponding requirements below:

    A. The current version of Duo Mobile runs on:
    • Android 8.0 and greater
    • iOS 12.0 and greater
       
    B. Duo MFA is supported in:
    • The native Mail app on iOS 11.x and greater
    • The native Mail app on iPadOS 13.1 and greater
    • Mac Mail on macOS 10.14 or greater
    • Outlook on iOS 10.x and greater
    • Outlook on all supported versions of Android
    • Outlook 2016 or greater on Windows and Mac 
  7. What if I can't download the Duo Mobile app on my phone?

    We advertise Duo Mobile, the smartphone app, as the most efficient way of facilitating MFA here at AU. It is not, however, the explicit requirement for getting through MFA prompts. It is possible to enroll in MFA without a smartphone, and still have a relatively seamless MFA experience. Please refer to KB0017302 for details on alternative MFA methods.