With 2FA, UW thwarts cyber threats

By Gretchen Konrady

Somewhere, someone with bad intent is trying to snag your UW NetID log-in credentials to get at something that they shouldn’t.

And it’s not just you they’re targeting. Anyone at the UW with a UW NetID will do, or anyone with a college or university affiliation. They’re cybercriminals, and they want to steal your personal information and institutional data. If they can steal your financial information or even actual funds, even better. Their signature method is to use scams that “phish” for personal sign-in credentials like your UW NetID and password.

Fortunately, your UW NetID sign-in may already be secured through two-factor authentication (2FA). On the heels of October’s National Cybersecurity Awareness Month, students across the UW’s three campuses are now required to use 2FA, joining faculty and staff to complete the University’s implementation of 2FA for use with UW NetID accounts.

This broad use of 2FA thwarts would-be thieves, who are indeed thick.

“We see a large number of attacks attempting to steal UW passwords,” said Becky Skiver Thompson, the UW’s Chief Information Security Officer (CISO). “Using 2FA helps protect against those attacks and stop the scammers from stealing information and resources. Adding this layer of protection is fundamental to our comprehensive strategy to reduce institutional cybersecurity risk.”

2FA significantly decreases risk to UW

Securing UW NetID accounts using 2FA, typically with Duo Mobile, provides significant protection: Duo says that its service decreases the risk of compromised credentials at universities in particular by up to 96 percent.

But how would someone wind up with compromised credentials in the first place?

A UW NetID password can get swiped when someone has used that same password on a site that’s hacked by bad actors who then try to access UW resources using the password. Or, spam messages slip through the UW’s email filtering system, tricking someone into clicking on a link such as for a job opportunity or financial aid.

These scams can capture UW NetID credentials to try to get into UW systems that contain valuable data, or to access systems that could help them spread malware.   

“Even if someone has your password, 2FA helps prevent others from signing in as you,” Skiver Thompson said. She adds that her office recommends people not to use UW NetID passwords with any other account.

Skiver Thompson says phishing attempts can be very sophisticated in trying to get you to enter your UW NetID credentials or other information, getting you to fall for something — and 2FA won’t help when that happens on non-UW websites. 

“Thieves use phishing emails that appear to come from familiar individuals or organizations to trick people into providing credit card numbers or bank information,” Skiver Thompson said.

Before you click, look at that link a second time

Her office, especially during National Cybersecurity Awareness Month, urged us to be skeptical of email messages asking you to click on links or download attachments, as there can be different kinds of phishing.

And when your Duo device pops up a sign-in attempt that wasn’t yours, that’s 2FA working to help you spot something amiss. One UW student already using 2FA recently was alerted by a Duo sign-in request coming from Portland, though she had returned from there to Seattle days earlier.

“It’s important for everyone to know that an unexpected Duo notification could be the first clue that your password has been stolen,” Skiver Thompson said. “Duo has a mechanism for reporting such notifications and my office will investigate.”

Help is available on IT Connect for students, faculty and staff so they can report fraudulent 2FA requests.

2FA joins other enterprise tools you may be familiar with that are part of the UW’s overall cybersecurity strategy. These include eduroam for secure, encrypted connections to UW’s Wi-Fi network, and Proofpoint, the UW’s recently implemented spam filtering and email protection system

UW staff and student employees were required to use 2FA with their UW NetID accounts in 2021. Earlier in 2022, all faculty adopted this use of 2FA. UW Medicine is in the process of implementing 2FA for employees who have a UW NetID and adding 2FA to MyChart accounts to help protect patient’s healthcare information as well.

Learn more on IT Connect about using Duo and 2FA.