Go to navigation Go to content
opener

Secure Authentication Toolkit FAQ

What is the purpose of the Secure Authentication Toolkit?

Logging in to an electronic resource with a user name and password/passphrase confirms your identity and grants authentication to access University systems and sensitive information. This makes passwords the forefront of protecting your personal information as well as the University’s electronic data. Given this, the University is taking password security to another level to aid in safeguarding your electronic credentials. This will be managed through a centralized application, known as the Secure Authentication Toolkit.  In addition to being the sole resource for all password activities* (such as password activation and registration, password reset, forgot your password, and password change processes), this application provides a second layer of password safety by requiring an additional authentication scheme (such as telephone numbers, e-mail addresses, and knowledge-based questions/answers) in order for users to gain access to systems and/or retrieve their password. This additional schema is known as two-factor authentication.

*Note: This will not include password reset for Office 365 student accounts and sponsored accounts at this time. 

What does this mean for me?

All University of Missouri employees and students will be required to complete the user registration process by the end of this fall. To register, you will be asked to provide your mobile/cell phone and an external (non-University) email account. Additionally, you will be given a series of personal, knowledge-based, questions which you will need to supply answers to. Knowledge-based questions are a secure method to confirm your online identity.  They should contain information only you will know the answers to; therefore, do not choose questions where the answers are published online or readily available through social media.  An question example is: What was the make/model of your first car?

Why are we requiring these additional steps?

“Phishing” is a problem experienced by cyber users across the world; unfortunately, the University community is no different. The University has investigated multiple incidents where employees have been deceived into providing their login credentials. Most often, this is a result of sophisticated phishing scams. Cyber-attackers generate spoof email messages (designed to avoid spam filters) directing employees to counterfeit login pages. Once the employee logs in, their user name and password are captured and can then be used to log in to other IT systems. When an employee is successfully duped into providing their password, they put information they access at risk. This can impact University information as well as personal privacy.

While we continuously work to combat the problem of phishing, an additional layer of password security will be added with the Secure Authentication Toolkit. This tool ensures that a password alone will not grant access to an IT system, or application; in other words, the hacker must work much harder to obtain valid credentials. While not a complete solution to the phishing problem, the Secure Authentication Toolkit will move the University in the right direction as it continues to improve its security posture.

How will the University use my information?

The University will use this information for legitimate University purposes and as required by law.  The University does not market personal information to outside entities. 

For students:  Note that your directory information is publicly available under Missouri’s open records law unless you exercise rights under the Family Educational Rights and Privacy Act (FERPA) and University policy to restrict access to your directory information.  You can learn about what is considered directory information and your rights under FERPA and University policy at your registrar’s website: http://registrar.missouri.edu/policies-procedures/ferpa.php.

Will this slow down my daily work?

No.  Aside from the few minutes it takes to register, the only additional time that will be required is upon logging in to applications that use it. The immediate use is when trying to change or retrieve your password. Given this is hopefully not a daily occurrence, the additional few minutes it takes to log in to these resources should not be a burden. Future uses will include access to myHR and other IT applications that contain sensitive data. The tool can be adjusted in front of these applications to not overburden users. Final implementation plans for these uses have not yet been determined.

What should I do if I don’t have a mobile/cell phone?

If you don’t have a cell phone, you can use a home phone or a work phone to access your Secure Authentication Toolkit passcode. A work phone should only be used when it is a direct line uniquely assigned to you. Make sure the number you use is one you can get to quickly in order to retrieve your passcode.

Why do I need to provide a secondary (external) email address?

A non-University email address is required in case the password to your University email address is compromised by a hacker.  The secondary email address will be used as one of the options you can choose from to verify that you (and only you) are able to change your University password to a new one.

What should I do if I do not have an secondary (external) email address?

Create one! Most email services are free for use (see resources below). If you have a secondary email already, but do not feel comfortable sharing it with the University, you may create a new external email account for this purpose.

What if I choose not to register with the Secure Authentication Toolkit?

Registration will be required to access password tools as well as other University of Missouri applications in the future.  If you are not registered, you will not be able to use these applications.  For example, you must have registration information on file to use the Forgot Password tool in order to recover your password.  If you forget your password and are not registered with the Secure Authentication Toolkit, you may be required to visit your IT Support in person with a photo ID to retrieve your password.

I’m having a hard time answering some of the knowledge-based questions, what should I do?

If you would like to change a question option, use the pull down menu on the question field and select from a new set of pre-approved questions. Still having issues?  The key with the knowledge-based answer is that you can remember what answer you have given the system for a particular question.  You do not have to provide the correct answer, just be able to always give a consistent answer when prompted with that question.  For example, it is acceptable if the question is “What is your favorite color?” to answer “elephant”, so long as you can remember the answer is “elephant” when prompted with the question: “What is your favorite color?”

What is the purpose of the help desk verification question?

Some campus help desks may choose to use the additional help desk question to help verify identity over the phone.  The IT support personnel cannot see answers to your knowledge-based questions, only the help desk verification question.

What if I supply an alternate phone and/or secondary email address that is  incorrect?

As long as the answer conforms to standard formatting (such as 573-123-1234 or something@gmail.com), the system will accept your answer. The University does not confirm the validity of your answers. However, the next time you try to reset your password or log in to an IT system with secure authentication in front of it (myHR will be the first IT system), you will not be granted access because you will not have a way to receive the random passcode needed to sucessfully log in. You will then be required to go through the registration process again to update your information.  

How do I update my information after I have registered?

You can update your information with the Secure Authentication Toolkit at any time. To do so, you will need to log in to User Registration/Manage Settings with your University username and password. Once you have logged in, you have the ability to update any of the information you self-entered during the initial registration process (such as alternative phone, external email, knowledge-based questions/answers). Modify the appropriate data and click update.   

Do I need to download the mobile or desktop application?

No, an additional application is not required.  However, the mobile/desktop application provides more authentication options than just text, voice and/or email messages.  If you frequently log in to electronic resources which utilize secure authentication, you may find these mobile applications are more convenient than text, voice or email messages.  Instructions on installing the Secure Authentication Toolkit applications are available at www.umsystem.edu/ums/is/infosec/secure_authentication_app

If you need additional assistance, please contact your IT Tech Support team. 

Reviewed June 21, 2017.