Here you will find an updated list of upcoming changes and updates in information security. Click a topic to expand and learn more.

What's Changing?

MSU systems will now automatically flag unusual login activity,like logging in from multiple places or using anonymous networks. Riskyloginswill require extra security steps (see Duo Step-Up Authentication below).

"High-risk" activities include but are not limited to:

  • Logging in from several different locations
  • Logging in anonymously
  • Impossible travel circumstances
  • Unusual user behavior/user behavior outside of known patterns
  • Leaked credentials
  • Situations where Microsoft is confident that a user has been or is at risk of being compromised

Why Does This Matter?

The more secure user connections are to outside networks, the better. Identifying and responding to risky behavior helps prevent security breaches by detecting threats like compromised credentials or unusual access patterns early. 

What's Changing?

Step-up authentications are extra security checks that only happen when risky behavior has been identified. Think of it like starting to use the deadbolt on your front door when you usually only use the knob lock.

  • What will these step-up authentications look like?
    • These step-up authentications will be the next “higher” type of authentication that the method you usually use
    • For example: if you always text, your step-up might look like a push notification
    • Other types of authentication methods that could be a step above your usual:
      • a text message or phone call with a code to enter in your DUO app
      • a prompt to use face ID or fingerprint on your phone

Why Does This Matter?

If risky behavior has been identified but the activity really is you, we want to make sure that you still have access to what you need. With this extra step, it's harder for bad actors to gain access instead.

What's Changing?

When performing work related tasks, or using remote access, you will need to utilize MSU-approved VPNs. You may not be able to log in using Duo if you're connected through third-party VPNs like NordVPN, Surfshark, or ExpressVPN.

Why Does This Matter?

By only using MSU VPNs, users limit the gaps in security that third-party VPNs might have. This is especially important when logging into our secure applications, such as Banner, Knox or Opal folders, Remote Desktop Connections, or Electronic Document Management.

What's Changing?

Identifies a large portion of overseas sources attempting to use someone’s multi-factor authentication through a VPN, TOR, proxies, etc.

Why Does This Matter?

This identification of suspicious sources and disabling of ananymous networks further helps prevent account spoofing or access from sources that are not you.

What's Changing?

Emails containing sensitive personally identifiable information (PII) will be encrypted. If you try to send such an email, you’ll get a notificationthat it contains PII. Avoid sending personal data via email anduse secure file transfer methods or approved platforms instead.In the near future, emails containing PII will beblocked, and you will receive a notification.

An encrypted email is locked so that only the intended recipient and the sender can view it.

Personally identifiable information includes but is not limited to:

  • social security numbers
  • passport numbers
  • paroll information
  • bank account information
  • classified data

Why Does This Matter?

Sharing PII via unsecure methods (like unencrypted emails) puts that information at risk of being stolen. The goal in fall 2025 is to completely block this information from being shared via MSU email and push the use of /uit/securefile/index.html.

What’s Changing?

We’re adding a new layer of security called Token Protection to help keep your work accounts and data safer—especially when you're signing in from different devices or locations.

 Why Does This Matter?

Think of your login like a concert ticket; once you’re in, you’re in. But what if someone copies your ticket and tries to sneak in too?

Token Protection makes sure that your “ticket” (your login session) can only be used on the device it was issued to. So even if a bad actor somehow gets a copy, it won’t work anywhere else.

  • Based through an existing Microsoft tool 
  • Should have little obvious impact 

What's Changing?

Starting fall 2025, new passwords will be required to be at least 14 characters long and more complex. 

Why Does This Matter?

You do not currently need to change your password unless prompted to do so during a security event. This new requirement applies to new accounts, new applicants, or those who are changing their password for various personal or security reasons.

MSU UIT recommends using a password manager like Keeper to stay organized and secure.

What's Changing?

Messages sent from montana.edu, montanapbs.org, and msubobcats.com will go through an additional security step to verify email authenticity. When using platforms like Mailchimp, SendGrid, or Salesforce, they must be properly set up to authenticate emails. Submit a ticket to UIT before using these services to avoid issues. 

Why Does This Matter?

This change helps protect against fake or spoofed emails. Unauthorized emails may be marked as spam or rejected completely.