Beginning on Monday, Oct. 29, off-campus students who wish to access their Application Portal, including but not limited to Google Suite, Canvas and Handshake, will be required to provide a secondary form of identification in addition to regular input of their username and password. This process is part of the implementation of two-factor authentication, a security initiative that has been in the works for nearly a year, according to Allan Chen, chief information officer.
Two-factor authentication officially began with faculty and staff this summer.
“We went live on June 25th, over the summer time, which is not usually an ideal time for a change like this,” says Chen. “Faculty were not checking email as regularly, and many were overseas. We got a lot of questions about the latter scenario in particular. But everyone got set up regardless of time and location, and we’ve received many comments that it was far smoother than they expected. Many have said that they appreciate the additional security.”
With timing already being a challenge for introducing two-factor authentication to faculty and staff, the decision was made to wait for the semester to actually begin before students would be required to use it as well. It has also been a standard for other institutions to allow faculty and staff to precede students with the introduction of two-factor authentication, according to Chen.
Nonetheless, the time has finally come for students to have this added security measure.
“We will turn on two factor early in the morning of October 29th, eastern time,” says Chen. “If you’re on campus, nothing will noticeably change. If you’re off campus, then, after you enter your username and password into the Application Portal, it’ll wait until you’ve provided the 2nd factor (or hit “accept” on your phone, which automatically sends the 6 digit code) before it’ll let you in. If you haven’t set up a 2nd factor yet it’ll prompt you to do so. You’ll be prompted once a day, per browser. So if you switch from Chrome to Safari, it’ll ask again.”
There are two options for providing the second factor, including either downloading and using the OneLogin Protect Smartphone App or through a text message sent directly to your phone. Chen notes that the app is the preferred method but a text message will work too.
In addition to anyone who is physically off-campus on Monday morning, International students as well as anyone living in off-campus housing will also have to go through two-factor authentication when attempting to login to their Application portal, even if they are currently on-campus when it goes into effect. This is due to the fact that both groups are considered to be off-campus by the school.
Muhlenberg choosing to enable two-factor authentication for strictly off-campus access is distinct from other institutions like Princeton University, North Carolina State University and Indiana University, all of which require secondary verification for every login attempt, including on-campus, according to Chen.
“We decided to make it off-campus only because of two reasons. First and foremost, an attack would almost certainly originate from off-campus,” explains Chen. “Second, we were concerned about faculty, staff and students needing to authenticate all the time for Canvas, for instance, which is often needed right at the start of class. We vetted this without security consultants and they agreed this was a sound approach.”
The implementation of two-factor authentication follows a string of recent phishing attempts that have been widespread across many campus email accounts. Earlier this month, for example, many students received suspicious emails regarding part-time jobs that also attempted to gain personal information.
Two-factor authentication will be a necessary step in protecting students’ online security, especially with these instances of attempted phishing.
“More than 90% of system compromises start off with a phishing scam, and all it takes is just a small number of people to fall for the scam to severely impact data security,”
“More than 90% of system compromises start off with a phishing scam, and all it takes is just a small number of people to fall for the scam to severely impact data security,” notes Chen. “Two-factor dramatically decreases the chance of someone getting into your account without authorization or by pretending to be you. Phishing is how people get in, and two-factor is how you prevent successfully phishes from leading to data compromises.”
Chen also emphasizes that “the best way to avoid a phishing scam is to recognize one in the first place, and not fall for it at all.”
“Two factor protects you should you fall for it, but ideally you avoid them in the first place. This is where our user education program kicks in. We are planning a program to educate faculty, staff and students on how to spot phishing scams, as well as how to keep better and stronger passwords, be more security aware, etc,” he adds.
Besides for just two-factor authentication, there are many other ways to be more cautious online.
“I hope that people will become more and more aware of good cyber security practices over time. Better able to spot phishing scams, using stronger passwords and a password manager, and understanding the dangers of, say, free WiFi at your local Starbucks,” notes Chen. “It’s a long process and we can’t overwhelm the community with new content and training and tools all at once, but the long term goal is awareness, plus tools to act on that awareness.”
