January 2023

Microsoft to enable number match authentication for all UA alumni and retiree UA email accounts

Beginning February 27, 2023, Microsoft will enable number match authentication for all UA alumni and retirees who are currently using Microsoft Authenticator to access their UA email accounts.

With number matching enabled, the Microsoft Authenticator app will prompt users with a number. Users will need to type that number into the app to complete the authentication process when attempting to sign into their UA Outlook account.

The feature helps to prevent accidental approvals and provides protection against multi-factor authentication attacks.

Number matching isn’t supported for Apple Watch notifications. Apple Watch users need to use their phone to approve notifications when number matching is enabled.

FAQS

Who will be required to use number matching in Microsoft Authenticator push notifications?

UA alumni and retirees who are currently using Microsoft Authenticator to access their UA email accounts.

Can I opt out of number matching?

No, starting February 27, 2023 users can’t opt out of number matching in Microsoft Authenticator push notifications.

Does number matching only apply if Microsoft Authenticator is set as the default authentication method?

Regardless of their default method, any user who is prompted to sign-in with Authenticator will see number match after February 27, 2023.

What happens if a user runs an older version of Microsoft Authenticator?

If a user is running an older version of Microsoft Authenticator that doesn’t support number matching, authentication won’t work if number matching is enabled. Users need to upgrade to the latest version of Microsoft Authenticator to use it for sign-in.

LastPass Breach – Password change required

Many faculty, staff, and students utilize LastPass as a password management tool to store passwords in an encrypted environment.  On December 22, LastPass informed its customers of a potential cyber security incident that could compromise the passwords stored in their accounts. LastPass discovered that in November 2022, a copy of the customer password vaults had been stolen. This attack affected a significant portion of the large LastPass customer base, including users at The University of Alabama.

Your LastPass password vault is encrypted with a master password that only you know. Cybercriminals who obtained copies of customer vaults in November 2022 and may be trying to crack these master passwords to access the passwords stored within.

We recommend that you follow these steps, including changing your master password immediately. On January 4, 2023, at 2:00pm, OIT Security will configure LastPass to require all users to change their master passwords if they have not since December 21, 2022.

1) Change your LastPass master password to include at least 14 characters. This should be different from your myBama password. Consider using a pass phrase or at least five randomly selected words. Passwords must include 3 of the 4 character types (uppercase, lowercase, number, symbol).
2) Start changing the passwords for your stored accounts and prioritize your myBama account, email accounts, financial accounts, and other accounts that could cause significant harm to you or the University if stolen.
3) If you store API keys or other similar application credentials, change those as well.
4) If you store credit card numbers in LastPass, we suggest requesting a new card from your financial institution.
5) Continue changing all of your stored passwords.
6) Enable two-factor authentication on all services if possible. If you receive any two-factor prompts that you did not initiate, do not respond to them and contact security@ua.edu.
7) Check your financial accounts regularly for any fraudulent transactions.
8) Be on the lookout for phishing emails trying to steal your LastPass password or personal information!

For personal LastPass accounts, follow a similar course of action.

Additional resources:
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
https://www.govinfosecurity.com/lastpass-breach-attacker-stole-encrypted-password-vaults-a-20790
https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/

FAQS:
“Won’t DUO two-factor protect my account?”
Not against this type of attack. Your master password is the only factor protecting your stolen vault contents.

“If I change my master password why do I need to change my account passwords?”
The cybercriminals have obtained a copy of your LastPass vault from November 2022, which means that offline copy will not be protected by any future changes you make to your master password. Therefore, changing the stored passwords for each account is crucial to ensure their security.

Even if you change the stored passwords, it is still important to change your master password. If you do not, cybercriminals may try to access your active vault using your master password, giving them access to any newly changed passwords for your individual accounts.

“Will UA continue to use LastPass?”
At this time, UA will continue to use LastPass. OIT Security is evaluating other vendors.