Skip to main content

2-Step expands to Microsoft, including email

Over the past year, ITS collaborated with schools, departments and groups across campus to protect sensitive data by rolling out 2-Step Verification on systems that are most likely to be attacked by phishers, including administrative systems and email.






This effort has involved and continues to involve groups throughout ITS.

When ITS kicked off the expansion of 2-Step on September 1, 2017, some 13,000 users were enrolled in 2-Step for Duo, mostly to access W-2 information and University systems that require privileged access. By the end of the 2017-2018 fiscal year, ITS had 51,000 users enrolled in Duo and had implemented 2-Step for Duo on the following administrative systems:

  • VPN
  • ConnectCarolina for students to pay and access bills
  • ConnectCarolina for all administrative users
  • Seven Research Systems

Adding 2-Step to Office 365

U.N.C. 2-step logoIn early 2018, ITS shifted its 2-Step focus to implementing 2-Step for email and Microsoft Office 365. ITS decided to implement Microsoft’s native 2-Step Verification tool because it does not require users to change their email programs on their desktop, laptops or mobile devices. The rollout consisted of:

  • In February 2018, releasing a tool to enable users to enroll early in 2-Step Verification to protect their email accounts and data in Office 365
  • In March 2018, automatically enrolling all incoming students in 2-Step Verification for Office 365
  • Preparing for all Office 365 users to be required to sign in with 2-Step Verification beginning December 6, 2018
  • Implementing the 1-Phish, 2-Step program, which requires that accounts that are compromised use 2-Step Verification

By the end of the fiscal year, 16,000 users were enrolled in 2-Step Verification for Office 365. As a result of these efforts and continued communications regarding phishing, ITS saw an 82 percent drop in the number of compromised accounts in July 2018, compared to July 2017.

Significant effort required

The 2-Step project has required — and will continue to require — tremendous effort and resources, including staff time and expertise, commitment, collaboration and communication. The project team meets weekly. Members of the team have presented many times to the campus community to explain about the need for 2-Step and the havoc that phishers are causing.

In an email to the campus in May, Assistant Vice Chancellor Dennis Schmidt explained that phishers: “often use stolen credentials to receive student discounts on goods and services such as Amazon Prime. They are also using the credentials for fraud and identity theft, targeting banking and payroll information, shifting funds to other accounts, and accessing services the person may already use that are registered with his or her University address or credentials.”

Project team members and all of IT, in fact, demonstrated their commitment to 2-Step by walking the talk. ITS required 2-Step use for itself early in the implementation.

Informing the campus

Brenda Carpen

ITS has also been getting the word out about the importance of using 2-Step via campus events, frequent emails and tweets, and creation and distribution of posters and postcards. ITS also has continually sought to improve its reach and messaging. The project team enlisted ResNET students, for example, to provide constructive feedback on ways to improve the 2-Step documentation and communication.

“This project has really required the subject matter experts from every group within ITS as the scope of systems we are trying to protect has been so varied,” said Project Manager Brenda Carpen of ITS Infrastructure & Operations. “I’ve enjoyed getting to know the team, the users they support, the work that they do, and the constraints that they face. I very much appreciated their flexibility when things change.”

The 2-Step project has been challenging but also extremely rewarding and insightful for the ITS team.

“One of the most insightful aspects of this project for me was going out with the team and presenting to various user groups on our plans for 2-Step Verification and hearing feedback directly from the users,” Carpen said. “One key learning for me was that it is important to present the information in many different ways. Stories about students, faculty and staff who been affected by compromised accounts resonated with most people, and facts and figures were appreciated by many of the academics.”

Key Partner(s): Communication Technologies, Enterprise Applications, Finance & Administration, ITS Service Desk, Identity Management, Information Security, Infrastructure & Operations, Middleware Services, Office of the CIO, Research Computing, User Support & Engagement
Comments are closed.