Microsoft to enable number match authentication for all UA alumni and retiree UA email accounts

Beginning February 27, 2023, Microsoft will enable number match authentication for all UA alumni and retirees who are currently using Microsoft Authenticator to access their UA email accounts.

With number matching enabled, the Microsoft Authenticator app will prompt users with a number. Users will need to type that number into the app to complete the authentication process when attempting to sign into their UA Outlook account.

The feature helps to prevent accidental approvals and provides protection against multi-factor authentication attacks.

Number matching isn’t supported for Apple Watch notifications. Apple Watch users need to use their phone to approve notifications when number matching is enabled.

FAQS

Who will be required to use number matching in Microsoft Authenticator push notifications?

UA alumni and retirees who are currently using Microsoft Authenticator to access their UA email accounts.

Can I opt out of number matching?

No, starting February 27, 2023 users can’t opt out of number matching in Microsoft Authenticator push notifications.

Does number matching only apply if Microsoft Authenticator is set as the default authentication method?

Regardless of their default method, any user who is prompted to sign-in with Authenticator will see number match after February 27, 2023.

What happens if a user runs an older version of Microsoft Authenticator?

If a user is running an older version of Microsoft Authenticator that doesn’t support number matching, authentication won’t work if number matching is enabled. Users need to upgrade to the latest version of Microsoft Authenticator to use it for sign-in.

LastPass Breach – Password change required

Many faculty, staff, and students utilize LastPass as a password management tool to store passwords in an encrypted environment.  On December 22, LastPass informed its customers of a potential cyber security incident that could compromise the passwords stored in their accounts. LastPass discovered that in November 2022, a copy of the customer password vaults had been stolen. This attack affected a significant portion of the large LastPass customer base, including users at The University of Alabama.

Your LastPass password vault is encrypted with a master password that only you know. Cybercriminals who obtained copies of customer vaults in November 2022 and may be trying to crack these master passwords to access the passwords stored within.

We recommend that you follow these steps, including changing your master password immediately. On January 4, 2023, at 2:00pm, OIT Security will configure LastPass to require all users to change their master passwords if they have not since December 21, 2022.

1) Change your LastPass master password to include at least 14 characters. This should be different from your myBama password. Consider using a pass phrase or at least five randomly selected words. Passwords must include 3 of the 4 character types (uppercase, lowercase, number, symbol).
2) Start changing the passwords for your stored accounts and prioritize your myBama account, email accounts, financial accounts, and other accounts that could cause significant harm to you or the University if stolen.
3) If you store API keys or other similar application credentials, change those as well.
4) If you store credit card numbers in LastPass, we suggest requesting a new card from your financial institution.
5) Continue changing all of your stored passwords.
6) Enable two-factor authentication on all services if possible. If you receive any two-factor prompts that you did not initiate, do not respond to them and contact security@ua.edu.
7) Check your financial accounts regularly for any fraudulent transactions.
8) Be on the lookout for phishing emails trying to steal your LastPass password or personal information!

For personal LastPass accounts, follow a similar course of action.

Additional resources:
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
https://www.govinfosecurity.com/lastpass-breach-attacker-stole-encrypted-password-vaults-a-20790
https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/

FAQS:
“Won’t DUO two-factor protect my account?”
Not against this type of attack. Your master password is the only factor protecting your stolen vault contents.

“If I change my master password why do I need to change my account passwords?”
The cybercriminals have obtained a copy of your LastPass vault from November 2022, which means that offline copy will not be protected by any future changes you make to your master password. Therefore, changing the stored passwords for each account is crucial to ensure their security.

Even if you change the stored passwords, it is still important to change your master password. If you do not, cybercriminals may try to access your active vault using your master password, giving them access to any newly changed passwords for your individual accounts.

“Will UA continue to use LastPass?”
At this time, UA will continue to use LastPass. OIT Security is evaluating other vendors.

OIT to Implement Additional Email Security in January 2023

Beginning in January 2023, OIT will implement new email security features to help students, faculty and staff better recognize phishing emails. These new security measures utilize mailbox intelligence and recognize email user patterns.

Outlook will provide safety tips for inbound mail that comes from new or unusual senders. Below is a screenshot example.

"You don't often get mail from this address."

The mailbox intelligence will also better recognize impersonation attempts. UA students, faculty and staff often receive impersonation phishing emails where messages are sent from addresses similar to a known contact. If a message is marked as an impersonated user, it will be delivered to the recipient’s Junk folder and contain an alert.

Network Upgrades Saturday, Dec. 17

OIT will be performing necessary network upgrades Saturday, Dec. 17 from 8am – 11am. The wired and wireless campus network will experience intermittent outages during the maintenance window. Services will resume normal operations by 11am.

Banner Upgrade – Sunday, Dec. 18

OIT will be implementing a Banner bundle upgrade on Sunday, Dec. 18 from 4:00am – 10 am.  myBama and channels that connect to Banner will not be accessible, including self-service and administrative systems. For questions or concerns, contact the IT Service Desk at 205-348-5555 or itsd@ua.edu.

Banner Upgrade – Sunday, Dec. 4

OIT will be implementing a Banner bundle upgrade on Sunday, Dec. 4 from 5:30am – 10 am. myBama and channels that connect to Banner will not be accessible, including self-service and administrative systems. For questions or concerns, contact the IT Service Desk at 205-348-5555 or itsd@ua.edu.

Nov. 28 Service Outage Root Cause

On Monday, Nov. 28 at 1:45pm, a critical component supplying power to the Gordon Palmer data center failed.  All services within the data center abruptly shut down causing a widespread network and system outage. OIT implemented mitigation efforts to restore core services by 5:45pm. OIT reactivated equipment on Tuesday, Nov. 29 at 9am to provide backup power service in preparation for severe weather.

All core services are available, and our team continues to closely monitor data center activity. UA’s ongoing Gordon Palmer data center renovation, scheduled to be complete in February, includes redundant power equipment which should prevent this issue from occurring in the future. 

Windows 7 to be Restricted from UA Network

Beginning Monday, Jan. 16, Windows 7 devices will no longer be permitted to connect to the UA campus network. As a reminder, Windows 7 reached end of life on Jan. 14, 2020. All Windows devices should be running Windows 10 or Windows 11.

Cybersecurity Town Hall Event

Join the OIT Security Team Thursday, Oct. 20 at 12:00pm for a virtual Town Hall Meeting.

Ransomware is a term you’ve seen a lot in the news lately, but do you know how to protect yourself, your computer and your sensitive information from a ransomware attack? Join the OIT Security Team Thursday, Oct. 20 at 12pm for a virtual Town Hall Meeting to ask questions of the team and learn how to be cyber secure.

UA CISO Taylor Anderson will provide a brief presentation on cybersecurity practices at UA and offer tips on how you can protect sensitive information. The team will then answer questions from the audience! Email victoria.collins@ua.edu to submit a question to the team in advance! More information about the event is available on the UA Events Calendar.

The Town Hall will be held on Microsoft Teams.