UNIVERSITY PARK, Pa. — Penn State is transitioning from Duo to Microsoft Authenticator for multifactor authentication (MFA). This change will require most Penn State Account holders to enroll in and use the Microsoft Authenticator as their new identity-verification method for accessing secure Penn State resources such as Office 365, Canvas, LionPATH, WorkLion and more.
While all students, faculty and staff members will be required to use Microsoft MFA before the end of the year, students will be the first group to transition this spring semester. This approach will enable Penn State IT staff to support the transition while most students are on-site and minimize any disruptions at the start of the fall semester. Faculty and staff members will transition later this summer and throughout the fall semester. More details about the faculty and staff transition to MFA will be provided then.
From March 23 to May 8, students will be able to self-enroll in MFA. More details and enrollment instructions will be communicated to students soon. Students in the College of Medicine will transition to MFA along with College of Medicine faculty and staff members. Students graduating in May are not required to enroll in MFA.
"Duo two-factor authentication has served us well since it was implemented at the University eight years ago for faculty and staff members and, more recently, for students," said Keith Brautigam, chief information security officer and deputy chief information officer. "However, transitioning to Microsoft MFA enables the University to reduce costs by aligning with other Microsoft tools we're already using, streamline service management, and enhance Penn State's security posture."
As cyberattacks become an ever-increasing reality for higher education institutions, cybercriminals can get into a user's account if they are able to guess the correct password, have tricked the user into sharing their password using a phishing email, or use a stolen password that has leaked on the internet. While passwords can be guessed, phished or stolen, only the actual user can provide the right response on their mobile device, tablet or landline at the right time through MFA.