The implementation of two-factor authentication (2FA) and Microsoft Multi-Factor Authentication (MFA) at the University of Delaware has made UD accounts much more secure. Hackers cannot break in to a 2FA- or MFA-protected account with just a username and a password. An extra 2FA or MFA code is required to complete the login process.
As a recent incident shows, some common sense is still required to protect your account, particularly if you set up 2FA or MFA to send your code via text message or to receive “Approve” requests from MFA on your cell phone.
Let’s say you’re an employee who set up your UD Office 365 Online account to use the Microsoft Authenticator App on your cell phone. One night, your phone lights up with a message that you have a login request to approve. You weren’t near your UD account, so you ignore the message. Then another message comes. And another one. And another one. And…. You don’t know what to do to make the notifications stop, so you click “Approve.”
Uh-oh.
You fell for an attack from someone who had acquired your password. (Perhaps you re-used a password you’d used at another site that had suffered a breach. Or perhaps you’d surrendered your password by falling victim to a phishing scam.) By clicking “Approve” on the Microsoft Authenticator app when you did not initiate the login, you just gave the hacker access to your account.
Fortunately, in this case, the employee realized the mistake and reported it to secadmin@udel.edu almost immediately.
Lessons learned
- 2FA and MFA are designed to protect your account with something only you know (your password) and something only you have (your 2FA or MFA code or token). If you use MFA or 2FA (or another site’s multi-step verification) to approve an unknown login attempt, you may have let a criminal learn the code that only you should have.
- If you receive requests to verify a login that you do not recall initiating, report them immediately. Do not run the risk of surrendering the extra code or token to a hacker.
- Be particularly suspicious if you receive repeated requests to verify your log in.
- At UD, report situations like this one to secadmin@udel.edu.
- If the situation arises with another account (e.g., Yahoo!, SSA.gov, your bank, a shopping site), report it to that vendor’s customer service or fraud report service.
- If you believe that hackers have access to your UD account, change your password immediately and report the incident to secadmin@udel.edu. If you believe hackers have your password to another vendor’s account, change that password immediately and report it to that vendor’s customer service or fraud report service.
- When using 2FA, MFA, or another form of multi-step authentication, you need to use some common sense. If you’re being asked to approve a login attempt at 2:00 a.m. and all your devices are turned off, is it a legitimate request?
As always,
Think B4 U Click!
More information
- At the University of Delaware, we suggest that you use the Google Authenticator app to generate your 2FA code. It securely calculates the 2FA code on your device without requiring Wi-Fi or a cell signal. We’ve had reports that it works in the basement of the Morris Library and in Belgium, Poland, and Norway.
- Similarly, we suggest that UD users of Exchange Online or Office 365 use the Microsoft Authenticator app to either approve login attempts or generate an MFA code.
- If you do not recall trying to log in, never verify or approve an attempt to log in to your account.