UI takes firmer online security measures
October 1, 2018
Knowing only a username and password pairing might soon be insufficient for logging into University accounts and services due to the school’s decision to phase in two-factor authentication, otherwise known as 2FA, in Fall 2018.
While undergraduate students can continue to opt in for 2FA, graduate students are required to use 2FA starting in October, while staff and faculty members will be required to do so in November.
Dana Mancuso, manager of Media, Information and Communications for Technology Services, said 2FA is already being used to protect the payroll system, but will now be used to log into applications such as Compass 2G and Moodle.
Universities across the country are implementing 2FA. Universities, in general, can be targets for attackers because they hold large amounts of personal information about people and other sensitive data, such as those used in academic studies, Mancuso said.
“If someone found out your password, they’d be able to access all of your data. Now, with 2FA, they also need to break into your house and get your phone. So that makes the probability of a successful attack happening much more difficult,” said Adam Bates, assistant professor in Engineering.
Nikita Borisov, associate professor in Engineering, said although the 2FA technology isn’t completely foolproof, it drastically reduces the chance of a successful attack on an account.
“We really can’t overstate the importance of protecting information,” Bates said. “The University has all sorts of information about your finances, about your health, insurance, social security and so on. This sort of information can form your identity. This can be used by someone to forge your identity.”
With 2FA, the user will first log in with their password. The system will then ask them to re-verify their identity using an app, phone or text.
This way, even if an attacker manages to guess the user’s password, they wouldn’t be able to break into the user’s account. In addition, the user would get a notification of an unauthorized attempt to access their account, which would allow them to immediately change their password.
The University will be using Duo Security, a tech security company, as its vendor for 2FA implementation. Borisov said Duo Security is a well-established company that has been protecting campus services for around three years now. He said Duo Security does not have access to users’ passwords, so there is no risk of Duo Security divulging them inadvertently.
Borisov said 2FA would also prevent people from breaking into a student’s account and copying their assignments.
Other Big Ten universities are also rolling out 2FA, according to Technology Services.
Services such as Gmail, Facebook and Steam, an online gaming platform, have used 2FA for a long time, Bates said.
“Financial and investment firms, government agencies, also are adding 2FA,” Mancuso said. “2FA is a well-tested practice and the current industry-standard way to gain a higher level of confidence than passwords alone that someone is who they say they are when they log in.”