You are here: American University Information Technology IT Security Multi-Factor Authentication

Improving Account Security Use Multi-Factor Authentication and strong passwords to secure your data

Have you ever been the victim of a phishing attack or received an email pretending to be from a colleague after their account was compromised? Attacks are on the rise, so it is critical for faculty and staff to act now to enable Multi-Factor Authentication (MFA) on your Outlook/Office 365 account and students to enable 2-Step Verification on your AU Gmail account.

American University is taking steps to improve security for email and file services, by requiring use of Multi-Factor Authentication (MFA) on both Outlook/Office 365 (Faculty and Staff) and Gmail (Students). You may already use Duo or 2-Step Verification when authenticating to AU platforms. This security standard helps all users to prevent unauthorized access to email and data, and reduces phishing attacks within the AU community.

OIT has also retired the 90 day/8 character password policy, requiring that all users utilize the 1 year/16 character passphrase policy.

Required Steps for Faculty and Staff

  1. Enroll your mobile device to use the Duo Multi-Factor App
    • Click to view the instructions for enrolling your smartphone in Duo.
    • Skip to Step 2 if you have already enrolled your smartphone to access the AU VPN or other services.
  2. Review what to expect for your email client.

An Introduction to Duo Security


Two-factor authentication adds a second layer of security to your logins. Verifying your identity using a second factor (like your phone or other mobile device) prevents anyone but you from logging in, even if they know your password.

Required Steps for Students and Alumni

Multi-Factor Authentication is required on both Gmail and Office365.

  1. Setup MFA on GMail
  2. Setup MFA on Office365

Help protect your account with 2-Step Verification


2-step verification adds a second layer of security to your logins. Verifying your identity using a second factor (like your phone or other mobile device) prevents anyone but you from logging in, even if they know your password.

Popular Topics

MFA Rollout Plan See what progress AU is making towards MFA

OIT has taken a phased approach in communicating how to work through the outlined steps above, with the goal of elevating the security posture among all members of the AU community. See the details below.

Starting in June, staff began receiving a series of communications instructing them to enroll in Duo MFA on Outlook/Office 365. 

As of September 30, 2021, Duo Multi-Factor Authentication became a requirement for authenticating to staff AU email accounts and Office 365 applications. 

Starting in mid-September, faculty began receiving a series of communications instructing them to enroll in Duo MFA on Office 365. 

Effective October 28, 2021, Multi-Factor Authentication is required to authenticate to your AU faculty email account and Office 365 applications. 

Starting in mid-September, students and alumni began receiving a series of communications instructing them to enroll in Duo MFA for their AU Office 365 accounts and enable 2-step verification on their AU Gmail accounts.

As of October 28, 2021, Duo MFA is a requirement to authenticate to Office 365 applications and

Effective November 18, 2021, 2-step verification will be required for students and alumni to authenticate to their AU email account. 

100 percent Staff MFA Enrollment for Outlook/O365

100 percent Faculty MFA Enrollment for Outlook/O365

41 percent Student & Alumni Two-Step Verification Enrollment

Frequently Asked Questions

  1. What is Legacy Authentication?

    Legacy Authentication refers to protocols that use “basic authentication”. These protocols can’t enforce any type of second factor authentication, and are frequently exploited for being vulnerable in this regard. IMAP and POP, as examples, have historically been examples of this. 

  2. Why do we need two-factor authentication?

    Login credentials are more valuable than ever and are increasingly easy to compromise. Over 90% of breaches today involve compromised usernames and passwords. Two-factor authentication enhances the security of your account by using a secondary device to verify your identity. This prevents anyone but you from accessing your account, even if they know your password. Enabling two-factor authentication for O365 dramatically reduces the chance that someone can access or send unauthorized messages from your email account, or access documents and other data stored in your OneDrive.
  3. Why do we need stronger passwords?

    Industry password guidance points to password length as a better metric for security than password complexity (e.g., combinations of upper, lower case, numbers, and special characters). Many staff and faculty are already onboard with the 16-character minimum, but there are still some users that will need to be switched to adopt best practices. By adopting the 16-character policy, (which simply calls for longer, less complex, passwords) users can author passwords that are more memorable, can be retained longer, and are above all, harder to “crack”.
  4. Will this impact my ability to view or send AU email through a third party mail client or platform like Thunderbird or Gmail?

    In the best-case scenario, your third-party mail client supports more secure connection types than IMAP or POP, as new accounts can be setup to access Office 365 in a compatible way without complicated configurations. We recommend looking for an email client that offers "Office 365" or "Exchange" as prominent options during new account setup. 
  5. Will I be able to "Send As" from my Gmail account (or other email client)?

    The "Send Mail As" feature in Gmail is a particularly dated function. For this, Gmail requires that you enter your O365 credentials, which is what allows Gmail to emulate you as a sender from an AU email account. With MFA enabled, however, anything that needs to perform an authentication to your O365 account also needs to also be able to perform multi-factor authentication. At this time, Gmail's "Send Mail As" function is not compatible with MFA. Learn More
  6. Am I exempt if I'm already forwarding my AU email and responding using a personal email account?

    This security posture is designed to enhance the motives put forth in our IT security policies. From that perspective, our policies state that AU entirely prohibits "sending, forwarding, or receiving confidential or sensitive academic or administrative information through non-AU e-mail accounts." Further, "confidential AU information must not be stored in or transmitted through email." As we continue to implement improvements in our IT systems, we ask that all users be aware and cognizant of these motivations and benefits. Learn More

    Beyond that, one of the primary goals of this process is to protect your AU account from unauthorized access. Regardless of how you currently handle your email, your Office 365 account will receive this security modification/improvement. Any direct attempt, therefore, to log into your Office 365 account will require completing multi-factor authentication. This applies to not just email, but if you use or need to license AU's Microsoft Office suite of applications. You will be unable to access AU's Office 365 services without performing a Duo multifactor authentication.
  7. I thought I already did my MFA enrollment a long time ago. How is this different?

    Prior to communicating this new security standard, much of the AU community has already been using Duo to authenticate to select AU platforms like the VPN or Virtual Apps, as examples. Your Office 365 account, however, hasn't previously been safeguarded with MFA. The goal of this current effort is to expand utilization of MFA to include your Office 365 account (ie. email, OneDrive, etc.). In this case, there are potential impacts to email delivery, though following the provided instructions will reduce/eliminate disruptions.
  8. Is my phone/computer compatible with MFA?

    Users should have two areas of concern around compatibility. To have a fully compatible experience, A. your phone needs to be able to run Duo Mobile, and B. your email client needs to be capable of prompting for Duo during the authentication process. See the corresponding requirements below:

    A. The current version of Duo Mobile runs on:
    • Android 8.0 and greater
    • iOS 12.0 and greater
    B. Duo MFA is supported in:
    • The native Mail app on iOS 11.x and greater
    • The native Mail app on iPadOS 13.1 and greater
    • Mac Mail on macOS 10.14 or greater
    • Outlook on iOS 10.x and greater
    • Outlook on all supported versions of Android
    • Outlook 2016 or greater on Windows and Mac 
  9. What if I can't download the Duo Mobile app on my phone?

    We advertise Duo Mobile, the smartphone app, as the most efficient way of facilitating MFA here at AU. It is not, however, the explicit requirement for getting through MFA prompts. It is possible to enroll in MFA without a smartphone, and still have a relatively seamless MFA experience. Please refer to KB0017302 for details on alternative MFA methods.