By Robert Palazzolo
Cybersecurity — or, the lack thereof — is all over the headlines these days, prompting governments, businesses, universities and even individuals to bolster their electronic defenses.
Fordham is no exception. Starting this semester, Fordham IT will introduce Multi-Factor Authentication (MFA) to all active university-affiliated online accounts. For students, this means that a username and password will not be enough. Soon, there will be a third action to complete in order to login to the Fordham network.
“[Cyber] Attackers get more sophisticated every day,” said Elizabeth Cornell, PhD. director of IT Communications.
“Experts agree this is one of the best ways to prevent any kind of malicious attack.”
The system will work like this: first, type in a username and password, as usual. Right afterwards, students use their phones to confirm their identities and complete the login.
There are a few different ways to complete the last step of confirming the student’s identity on a phone. One is via the Duo Mobile MFA app (which is available for Apple, Android and Windows phones). After the student enters the username and password, the app will immediately send a push notification with options to either approve or deny the login. Once the student taps “approve,” the login is successful.
Through the same app, users can also receive a one-time, unique password to confirm their identity and login. Duo can also text users the one-time passcode or send an automated call, if preferred.
That identity confirmation will be remembered for thirty days — meaning if users use the same device and browser, they will only need their username and password to login for the next thirty days. And when checking email on a mobile device, users will only be prompted to use the MFA system when setting up access to email on that device or changing a password. Therefore, students will not need to authenticate every time they check their Fordham email on their phones.
Duo Security, Inc. will be the provider of Fordham’s new MFA system. Their website lists Facebook, NASA, Toyota, Twitter and others as clients.
A Fordham IT blog post also lists Columbia, Harvard, MIT and NYU as universities which utilize Duo’s MFA system.
Cornell said that MFA technology is common, and fast becoming a vital defense.
“People should be questioning any institution that isn’t providing this extra layer of security,” Cornell said. “It’s just so important — and you have it at your bank, you have it in your credit cards,” she added.
According to NBC News, 550 universities reported some kind of data breach between 2006 to 2013. A significant cyberattack on Penn State’s systems in 2015 resulted in the compromise of many student usernames and passwords. In 2014, the University of Maryland and North Dakota University suffered similar breaches. Cornell said that despite the added inconvenience of MFA, the growing threat that these other attacks demonstrate means that Fordham IT has had to be proactive.
“It’s a very, very real threat, and we take it very seriously,” she said.
Student reactions to the added security measures ranged from somewhat positive to more skeptical.
“I think it’s a good thing,” said Frank Sikorski, FCRH ’17. “Seems to be a mild inconvenience, but more cybersecurity is better.”
“I wonder why it’s necessary,” said Margaret Sullivan, FCRH ’17. “But I don’t think it would be too bothersome,” adding that the existing WiFi compliance security check means that she is already used to following IT-mandated security procedures once a month.
So far, the amount of student feedback reaching Fordham IT has been relatively small. But that is likely to change when IT begins their education campaign to try and get students ready for the new system. The only marker of coming change has been a small box on the my.Fordham login page that alerts students that the MFA system is coming. But Cornell says IT will be sending a barrage of informational emails to students, as well as hosting a series of informational sessions in each residence hall.
To ensure students are aware of the change in plenty of time, Cornell said they are holding out on setting a hard deadline for the switch until they feel confident students are going to be ready.
“We want it to be as smooth as possible, for everyone,” Cornell said.