Unsolicited job offers promising large payouts for minimal work, supposed faculty members giving away PlayStation 5 consoles and threats to disable a student or faculty member’s Microsoft Office account if they don’t give up their password. These are all routinely seen flooding people’s inboxes and one program hopes to put an end to it.
Microsoft Authenticator, the two-factor authentication process that requires all students and faculty to have its app on their phone to log in to their Point Park-affiliated email, is now mandatory.
Previously, authentication codes could be sent to a phone number via text or a phone call, but this method is now considered obsolete by Point Park Informative Technology Services (ITS) and is no longer supported.
According to ITS, the decision to make Microsoft Authenticator a requirement was based on the need to make the university’s systems more secure.
Additionally, phone numbers are not the most secure method of secondary identification. SIM card swap attacks, which trick a phone carrier into believing a hacker is the rightful owner of a victim’s phone number, can give a fraudulent party access to two-factor authentication codes, according to NPR. This type of attack can break open a Point Park email address.
Tim Wilson, assistant vice president of IT, said the changeover to Microsoft Authenticator has been an ongoing process since August 2024. Wilson said the emails sent to users are meant to encourage people to sign up for the authentication service.
“Using this variant of two-factor authentication is an industry-preferred method for authentication methods,” Wilson said.
Originally, the mandatory changeover was meant to happen on August 23, 2024, after what ITS said was an increase in hacking attempts on Point Park platforms.
However, this was postponed on August 22, 2024, while announcing a recommendation to switch from phone number verification again in April, May and June 2025.
Point Park is far from the only university to implement Microsoft Authenticator as a required form of two-factor authentication. For instance, Chatham University has enforced the app as the only acceptable way to sign into emails since spring 2023.
Additionally, Point Park has positioned Microsoft Authenticator as a line of defense against hacking attempts toward university email accounts. However, Wilson said he does not have enough data to say if it has helped because not every user has switched to the authentication app yet.
Chatham, on the other hand, has two years of data to see if Microsoft Authenticator has helped prevent hacked accounts from spamming every inbox in the university’s directory. According to a senior IT employee, who was not authorized to speak to The Globe, accounts still get hacked frequently despite Microsoft Authenticator being mandatory.
The employee said accounts were still hacked often after the Microsoft Authenticator rollout, where inactive faculty and graduated student accounts with compromised passwords will ask the hacker to set up Microsoft Authenticator, giving them access to an account that does not belong to them.
As for how often this happened, the employee said Chatham’s IT help line would get around 12 requests related to people clicking on fraudulent links sent by hacked email accounts every time a spam email was sent to every email in the directory. The employee said their system administrator solved the issue by disabling every account that appeared inactive, though this had the consequence of accidentally disabling over 30 accounts which belonged to current students and faculty at Chatham.
Beyond the difficulty of hijacking an inactive account, the Chatham IT employee said active accounts are often hacked because of people falling for scam links. The employee said the links themselves don’t hack users just by clicking it; rather, people type their password into a Google Form and give the malicious party an easy entry into their account.
While Wilson said the mandatory switch to Microsoft Authenticator was due to an increase in hacking attempts and to use the industry standard software, the Chatham IT employee said Microsoft’s deadline to make it official ended in October 2025.
As for Pitt, Microsoft Authenticator is only used for administrative purposes; students must use a different app, called Duo.
While Duo does not leave Pitt immune to hacked accounts targeting users similarly to Point Park, Pitt’s IT department has an email inbox for users to forward potential spam or phishing emails to, which are then verified as either real or spam. Additionally, Pitt requires users who fall for spam emails to enroll in “security training,” according to the Pitt News.
Point Park’s IT department additionally takes phishing email reports, while additionally warning the campus community about emails identified as spam.
Carlow University, however, does not use any authentication software beyond phone number verification.
As of publishing, Point Park ITS has not warned of any phishing emails sent to users since Sept. 19. Wilson said the IT help desk team stands ready to help students who haven’t switched to Microsoft Authenticator yet. ITS is available on the second floor of Thayer Hall or can be called at 412-392-3494.
“Again, we are willing and ready to help you,” Wilson said.
