Refreshing Your Account Security

UF Information Technology (UFIT) recommends evaluating the security of all of your online accounts. Strengthening your passwords for important accounts such as personal email, online banking access, and social media can protect you from some of the most damaging hacks. 

It is extremely important to use a different password on each site, so hackers can’t use passwords stolen from one account to break into your other accounts. One strategy recommended by security professionals is to use a “passphrase” made up of four or more random, unrelated words. Surprisingly, this is a stronger password than one made up of random letters and characters and is much easier to remember!  UF requires strong passwords for GatorLink account credentials. A common misconception about your GatorLink credentials is that you can’t use words found in a standard American dictionary as your password. But if your password is longer than 18 characters, then words are allowed. So, the next time you update your UF credentials, consider using a passphrase.

UFIT also recommends setting up multi-factor authentication (MFA) on your non-UF critical accounts. MFA solutions for external applications work like how Duo Mobile works at UF: your mobile device generates a one-time access code that you enter to access the account. By configuring MFA on your accounts and using the ‘Authenticator App’ option when doing so, you add an extra layer of security even if hackers compromise your password. All mobile devices can store MFA codes in the same Duo Mobile app you already use for UF. Alternatively, Apple devices can store those MFA codes in iCloud Keychain, where they will sync and autofill across your personal devices (including Windows via the iCloud application).

Beyond MFA, some companies now offer support for passkeys. A passkey uses an on-device verification mechanism, such as Face ID or a screen lock passcode, to verify your identity and allow access to an online account. Passkeys by design are more secure than passwords and provide protection against phishing, because they don’t require you to remember anything! Check out this demo to discover how passkeys work and visit the Passkey Directory for a list of websites that support passkeys today. 

Taking steps to secure your accounts is an investment in protecting your identity, money, and online image and reputation. For more information on creating secure passwords: https://security.ufl.edu/learn-security/passwords/ 

Falling for a Phish Can Lead to an MFA Bombing Attack

Phishing attacks are frequently carried out through emails or texts that appear to come from a reputable source. Cybercriminals are skilled at using deceitful tactics to trick users into revealing personal information such as logins or credit card information. Common phishing tactics include:

Unsolicited work opportunities that lead to requests for bank routing information, or ask the new “employee” to purchase supplies, with the promise of reimbursement
Messages warning of an imminent deactivation of your accounts, such as bank accounts, social media accounts, or subscription services
Emails allegedly from the IRS, FBI, or other federal agency threatening legal action, and directing you to imposter websites requiring you to enter personally identifying information
Urgent requests from fake email accounts impersonating a high-level person in your organization, asking you to purchase gift cards or submit your credit card information.

Pay close attention to any email asking for GatorLink login credentials. Unauthorized access to your GatorLink account can expose your personal or academic information. Once a GatorLink login is compromised, the attacker may repeatedly spam Duo Push requests to your device — otherwise known as “MFA Bombing” — hoping you will accept just to make the requests stop. Approving an unexpected Duo request gives the criminal access to your account. Visit the MFA bombing webpage to learn more about this form of cyberattack.

Change Coming to Email Login Experience

Modern Authentication will be enabled for supported email clients on Sunday, Sept. 26. This change is necessary to strengthen UF’s security posture: “Modern Auth” provides a more secure login experience and allows usage of multi-factor authentication for supported email clients.

How Does This Change the User Experience?
Anyone who uses an email client that supports Modern Auth will initially see a change in their login experience. After Sept. 26, users will receive a prompt similar to the login.ufl.edu webpage. Users of MS Teams, or the Outlook for iOS/Android login procedure, will be familiar with this new experience. When Modern Auth is implemented, users will also validate with multi-factor authentication. Once successfully authenticated, users will not be prompted for a password again until:

1. Their GatorLink password is changed or expires.
2. Their supported email client is inactive for more than 90 days.

What is NOT happening?
Basic authentication is NOT being disabled. UF email clients using basic authentication (e.g., IMAP and older versions of Outlook) will continue to work as expected.

Whenever a change is made to email, there is always a concern that someone may inadvertently fall victim to email scams intended to steal UF login credentials. Anyone with questions or concerns about the legitimacy of an email should contact the UF Computing Help Desk (132 HUB, helpdesk@ufl.edu, 352-392-HELP/4357).