To further strengthen the university’s defenses against password theft, by early August, all nonacademic staff will be required to use the expanded version of Two-Step Login for any service that uses CUWebLogin to request the employee’s NetID and password.

Since April, when Two-Step Login was required for all Cornell employees to access high-risk tasks in Workday, the added layer of authentication has greatly reduced threats to sensitive information. However, attempts to compromise other services and information have only become more focused and constant. The university averages 200 password compromises per week.

In response, Cornell's IT Governance Council* endorsed a recommendation to mandate that all nonacademic staff--employees whose Human Resources classification is nonacademic, including those on temporary appointment, and academic staff employed by Cornell University Library--use Two-Step Login for any service that uses CUWebLogin to request the employee’s NetID and password. This action will not affect student employees.

*The IT Governance Council includes Provost Mike Kotlikoff, Vice President Joanne DeStefano, Dean of Cornell Tech Dan Huttenlocher, Dean of CIS Greg Morrissett, CIO Dave Lifka, and CIO of Weill Medical College Curt Cole.
 
Details

On a rolling timeline from July 5 to August 1, all nonacademic staff will be converted to the expanded version of Two-Step Login. About 32 percent are already using the expanded version. The units of anyone receiving this message are tentatively planned to experience this change at the end of July.

Students, faculty, and all other academic classifications are not included. This consideration is being made in recognition of the unique needs of the faculty, researchers, and students. However, they are strongly urged to voluntarily switch to the expanded version as soon as their schedule allows to protect themselves and the university resources in their care. 

The planned date for first communications to Cornell employees about Expanded/Required Two-Step Login is Wednesday, June 28.
 
Areas of Effort

We anticipate the following areas to be of greatest impact and are working to plan accordingly:

• Two-thirds of employees have not used Two-Step Login since the initial setup, so the habit will need to be established.
• Nonacademic staff whose work is done via computer will need to be prepared to use Two-Step Login every day.
• Nonacademic staff who don’t typically use computers may experience a more modest impact and will need to plan ahead when computer tasks are required.
• Nonexempt employees who record their time via Kronos on the web will need to be prepared to use Two-Step Login for that task.

 This effort will also include attempts to ensure that the 2,757 employees who did not enroll themselves in Two-Step Login by the April deadline are prepared for the expanded version. These individuals were mass-enrolled by CIT at the end of April, using either their phone number on record, or if one was not available, a fake phone number (607-999-9999). 

This message has previously been provided to the president, provosts, vice presidents, deans, directors, department heads, and many managers, as well as IT service group directors, IT security council, and all IT@Cornell staff. 

Anyone who has general questions about Two-Step Login should visit it.cornell.edu/twostep . Local IT support providers should be aware of this change and be able to answer most questions. The IT Service Desk is also available as a resource: it.cornell.edu/support