Over the past year, attackers successfully used phishing emails to compromise UC employee credentials, defeat location multi-factor authentication (MFA), access UCPath accounts and ultimately alter direct deposit information to redirect paychecks. To address this risk, a systemwide working group developed a standard to enhance MFA techniques used by locations for granting employees access to UCPath.
Employees will be required to use verified Duo push. Less secure verification methods, including call back and text message, will be disabled. More information will be coming for UCSC ITS on specific campus/user impact.
While the change will be transparent to most, up to 20% of staff may be impacted, particularly those who have older devices or rely upon discontinued verification factors.
To support users through this change, new text appears on the UCPath single sign-on page advising employees that their MFA options may soon change.
