In light of a rise in cyber threats, the University is now requiring students to enroll in a two-step login procedure for all University Netbadge services. University Chief Information Security Officer Jason Belford sent an email to students March 13, announcing the new procedure, which impacts access to Collab, Student Information Services and Gmail. The new system uses a form of multi-factor authentication that is intended to make student accounts less vulnerable to cyber scams and identity theft. Belford said a factor is a “method of authentication,” of which there are three types — something you know, such as a password or security answer, something you have, like a one-time use code, or something you are, like your fingerprint or retina scan. Multi-factor means that more than one of these types is used. MFA attaches a second identifier tied to one person — such as an email address or phone number — to an online login. In the event a hacker attempts to wrongly access a user’s account by requesting a new password, it is unlikely they would also have access to the user’s email account or phone, making a successful attack extremely difficult. While the system’s roll-out for students is new, the University has been continually working to improve its existing security procedures since it suffered a cyber attack in the summer of 2015. After receiving approval from the Board of Visitors, SecureUVA — the University’s cyber security enhancement program — began granting MFA logins to faculty, staff and student employees last year. “We knew that we would eventually enroll all U.Va. students in 2-Step Login, offering them the same protection from cyber-attacks by unauthorized users,” Belford said. “We made the decision to do this now because we have seen a rise in the number of cyber threats directed at our students.” Last fall, more than 100 students inadvertently provided their Netbadge usernames and passwords to scammers by clicking a link in a phishing message that imitated past emails from Student Financial Services. Many phishing messages are caught by the University’s anti-spam systems, but some are able to bypass the filters and make their way to student inboxes. The new security measures require users to download the third-party Duo app on their smartphone or mobile device, which ties their phone number and login information to their Netbadge account. When logging into Collab, SIS or other applications from their phone or computer, students can then opt to receive push notifications on their phone that allow them to access these sites. The setup process itself is outlined step-by-step in the email and is meant to be easy for students to complete. "Most are surprised by how easy [registration] is,” ITS communications specialist Claire LaBar said. “They're done in about two minutes." Belford said students should take further precautions such as hovering over email links with their mouse to check for unexpected domain names, using different passwords for their various online accounts and forwarding suspicious messages to firstname.lastname@example.org. Students are reminded to register for the new service prior to the deadline April 16. After this date, users still registered to the old system will be unable to access any Netbadge-related services, particularly SIS and Collab. “Thousands of people have followed the link from their emails, but not many have completed the process of enrolling,” said Kate Grumbles, a fourth-year College student and ITS communications intern. “You know you’re done when you see a green key next to your profile in the Duo app.” ITS staff will hold support desk hours at various locations throughout March and early April to help students enroll in the new login system.