Multi-factor authentication for students' JU accounts
JU has decided to make multi-factor authentication (MFA) mandatory when accessing Office 365 for all students' JU accounts. The requirement will be gradually introduced during the spring.
What is MFA and how does it work?
Multi-factor authentication (MFA), also known as two-step verification, is an easy way to increase the security of your account and reduce the risk of strangers logging in with it. MFA confirms your identity with something that only you have access to, in addition to your password. It protects access to Office 365 even in cases where login credentials may have been leaked or stolen. In the same way as a bank ID, it confirms your identity on other services and provides additional confirmation that it is you who is logging in. You also have the option to deny login attempts that you do not recognize.
MFA makes it significantly more difficult for someone else to gain access to your JU account, even if that person knows your password. When MFA is activated, only you can access your account using a trusted device. In an initial stage, MFA will be used for Office365 services.
Rules for MFA
MFA is used to access Office365 services via your JU account from private/external computers and mobile devices. Using MFA means, for example, that when you want to access Outlook Online or files in OneDrive from your own computer, you need to perform an extra action to be able to log in. This also applies when using your own computer on campus via eduroam. If you use the university's computers, you will not need to use the MFA.
How does it work?
When you have activated MFA and via a private/external computer or mobile log in to Office 365, you need to verify your login using the Microsoft Authenticator app in your mobile phone or code from SMS. The IT Security Council recommends using the app for MFA. You will be notified in the login procedure when you need to verify yourself. Make sure you have notifications turned on in the verification app.
Stop unauthorized login attempts
Important! If you receive a verification request at any time when you are not logging into your account: choose to deny the login. It could be someone else trying to use your account information, which you have the option to prevent with activated MFA.
Background for the decision
Every day, many JU students are subjected to hacking attempts, where the absolute majority of these attempts take place from abroad. Today, an old protection that was developed before the use of the Internet became commonplace is used, namely the password. Usernames and passwords work well in isolated systems, i.e. those that are behind other protections in the form of, for example, locked doors. As more services are available in the "cloud", locking your front door no longer works that well.
The problem with usernames and passwords is that these can easily be copied/spread and exploited in other places in the world. This means that your JU account runs a greater risk of being compromised.
If you are subjected to a successful intrusion, the attacker can log in and access your files and e-mails, among other things. It becomes even more serious when the account can be used in attempts to access the passwords of other students or employees.
When we discover a breach, the account needs to be temporarily suspended to prevent further damage. When an account is temporarily closed, access to e.g. email, files on Onedrive and Teams as well as the ability to log in to Inspera and Canvas is lost. A forced password change needs to be performed before you regain control of your account.
The following date will make MFA mandatory for each company.
JTH: Wednesday 1/2 2023
JIBS: Wednesday 1/3 2023
HLK: Monday 3/4 2023
HHJ: Tuesday 2/5 2023
JUE: Monday 15/5 2023
If you have questions or problems, please contact IT Helpdesk