This message was emailed to employees and students on October 18, 2023.
Dear WPI Community,
As we explained in last month’s communication about multi-factor authentication (MFA), WPI must change its MFA processes to protect your accounts and the university from vulnerability to hackers and malware. Craig Shue, Computer Science Professor and Department Head, explains the issue in our SECURE IT information security newsletter.
Starting last spring, we enabled MFA verification through the Microsoft Authenticator app with number matching, the most secure MFA method at this time. Thank you to all who are already using this method, and to those who have made the change since our September communication.
In accordance with recommendations from federal security agencies, we will eventually be eliminating other methods of MFA relying on calls, emails, or text messages for WPI login. We are taking this proactive measure now as Microsoft has already announced that they will be ending support for other MFA methods, likely next year.
ACTION NEEDED: We ask all WPI account holders to take these actions as soon as possible:
1. Ensure you are using the free app with this logo.
There are numerous authentication apps, many with similar logos and payment required. You do not have to pay for this app. If you are unable to use Microsoft Authenticator with number matching, please immediately contact the IT Service Desk to discuss a supported alternative. Information Security has tested various YubiKeys, and will procure these for community members who require this alternate MFA method.
2. Configure the Microsoft Authenticator Appas your default MFA method if you have not already. Step-by step instructions are on the WPI Hub.
3. Remove other MFA options. After successfully downloading and testing the Microsoft Authenticator App, please remove other options including calls, emails, or text messages, from your WPI account.
Timeline:
- Oct. 19, 2023: Beginning now, if you are not using Microsoft Authenticator app on your smart phone, alerts will appear when you need to use MFA prompting you to download the app.
- Jan. 2, 2024: A two-week countdown begins. Alerts continue to appear reminding you to use Microsoft Authenticator, and now inform you how many login attempts remain.
- Jan. 16, 2024: Access to resources requiring your WPI login and MFA will be restricted until you configure the new method. At that time you will be required to download Microsoft Authenticator and use number matching, or work with IT to obtain an approved alternative as the only means to access your WPI account.
If you need assistance installing Microsoft Authenticator, or are unable to use this app, please contact our IT Service Desk staff at 508-831-5888 or its@wpi.edu.
Thank you for your diligence in helping to keep our systems safe.
Vijay Menta
Vice President for Information Technology and CIO
LeeAnn LeClerc
Chief Information Security Officer