It was the second week of school, and I was trying to complete a math problem set with my friend. The only problem was that he couldn’t log into Sakai to see the problems. He had broken his phone, and because of Duo Security’s two-factor authentication process, he needed another device aside from his computer to complete the process of signing into his account. But, of course, he didn’t have one.
By now, students at Harvey Mudd College, Claremont McKenna College and Pitzer College have become familiar with using a two-factor authentication process from Duo whenever they log into the colleges’ online systems through the Central Authentication Service. Pomona College and Scripps College have yet to implement Duo for students.
Systems that use the CAS include student portals, Sakai, Handshake, Workday and library databases. To access their accounts, students and staff must first enter a username and password, then either respond to a Duo Push sent to the Duo mobile application on their phone, answer a phone call or use a passcode.
Across the Claremont campuses, students seem to generally feel that Duo is inconvenient since it has created a longer process for signing in and difficult situations like the one that my friend found himself in.
However, in today’s age of hacks and phishing, a username and password simply aren’t enough to keep data secure. Multi-factor authentication provides a much-needed barrier between online data and those who might collect that data without users’ permission, sometimes for nefarious purposes.
Passwords account for 81 percent of data breaches, according to the 2019 Data Breach Investigations Report from Verizon. People often use the same or similar passwords for all of their accounts, and such information can be stolen or guessed relatively easily. If the only step involved in the login process is entering a username and password, a website cannot tell the difference between the real user and an impersonator.
For example, earlier this year, hackers gained access to the data of applicants to three U.S. colleges through phishing. They sent emails that appeared to be authentic to staff at Oberlin College, Grinnell College and Hamilton College to trick employees into giving them passwords. At the time, these three colleges had been using a single sign-on security system that only required a username and password for login.
That’s where multi-factor authentication comes in. Multi-factor authentication is a process of verifying a user’s identity by forcing the user to complete a multi-step login process, typically with another device that the real user should be able to access. It ensures that someone attempting to log in as a user is truly that user because only that user should be able to have access to the second device needed to complete the login process.
Furthermore, all colleges receiving federal funds are required to be in compliance with the Gramm-Leach-Bliley Act of 1999, which requires colleges and universities to protect students’ online data. Since the Claremont Colleges receive federal funds, the Department of Education requires them to protect students’ online data, and one way that they can do so is by using Duo’s multi-factor authentication process.
For those who are still not convinced that we need Duo, it’s really not that inconvenient to use. Users can add multiple devices to their account in case one device is lost, stolen or broken. Additionally, CMC and HMC students who use the same device to log into the colleges’ online systems have the option of allowing Duo to remember their device for 30 days, so that they only have to complete the second step of the sign-in process every 30 days.
Unfortunately, Pitzer students can only have their devices remembered for 24 hours, but this is a small price to pay for the advantages of Duo. To make security more convenient for Pitzer students and staff, Pitzer administration should look into lengthening the period for which devices are remembered.
For the benefit of added security, we can put up with a little more inconvenience in our lives. I highly doubt Claremont students would prefer their data stolen and weaponized in exchange for a few extra seconds in their day.
Michelle Lum HM ’23 is from San Jose, California. She enjoys traveling, exploring the outdoors and eating too many chocolate chip cookies.