Multi-Factor Authentication Update – Action Recommended
Dear WPI Community,
We are writing to alert you to a change in WPI’s multi-factor authentication (MFA) processes and to ask you to help protect your account and the university from account and data compromise.
Hackers have exploited a vulnerability in MFA processes that rely on texts, email, and phone calls as second factor authentication, tricking users and increasing individual and university risk for cyber-attacks. WPI has recently been subjected to a high number of these attacks which have compromised multiple WPI accounts.
To best address this vulnerability and provide the highest level of security in accordance with recommendations from Microsoft and federal security agencies, we suggest you update your MFA. At this time, the most secure MFA option is the Microsoft Authenticator App with number matching. Additionally, here is what our Computer Science Department Chair, Craig Shue, had to say about various MFA options and the vulnerabilities we are facing with our current choices:
“In computer security, it is challenging to confirm that a person is who they claim to be. Attackers know that they can gain significant advantages if they can impersonate somebody who is trusted, so they come up with elaborate and creative strategies to do so. This means organizations, and all of us, must take additional steps to prevent those attackers from succeeding.”
We ask that all WPI users—anyone with a wpi.edu account— download the Microsoft Authenticator app as your default MFA verification method. If you’re already using Microsoft Authenticator, your app is likely already using number matching so you will not need to make any additional changes. Instructions to configure MFA can be found on the WPI Hub here. If you have any issues installing Microsoft Authenticator, or are unable to use this app, please contact the IT Service Desk at 508-831-5888 to ensure you can use MFA via a supported alternative. Microsoft offers answers to common questions about its Authenticator app, including data handling.
WPI will discontinue any MFA option that relies on texts, calls, or emails in a few months, and we are giving you advance notice to get started on using a safer MFA option. We thank you for your diligence in helping to keep our systems safe.
Vice President for Information Technology and CIO
LeeAnn LeClerc, CISSP
Chief Information Security Officer