Pitzer College earlier this month became the latest of the 5Cs to implement two-factor authentication for students logging into their school accounts, through a computer security service called DUO.
Pitzer’s adoption of the service, which follows the gradual implementation of DUO at Claremont McKenna College this academic year and at Harvey Mudd College before that, is part of a shift by all 5Cs to move to two-factor authentication to better protect online data.
“One obvious risk is [that data] could be altered by an attacker. Another is simply the disclosure of legally protected data. And of course, if enough data is collected, the attacker can steal an identity or launch a spear-phishing attack,” Pitzer information technology services director Robert Goldstein said. “Multi-factor authentication significantly mitigates those risks with minimum inconvenience.”
Two-factor authentication will require anyone attempting to sign in to the colleges’ online systems to enter their username and password through the Central Authentication Service, then either accept a notification through the DUO smartphone app, pick up a phone call or enter a passcode.
The CAS is the 5C-wide portal through which students log into all online college services, including registration portals, Sakai, Workday, library databases and Handshake.
Students seem to understand the merits of increased data protection, but some reported finding two-factor occasionally inconvenient and difficult to adjust to.
“I’ve heard from some other people that it definitely has its values and benefits, but it also can be somewhat of a hassle when trying to check a grade really quickly on Sakai or get to a reading [for class] really quickly,” Aliana Tsai PZ ’19 said several days after DUO was implemented for Pitzer students.
Other students questioned whether such a high level of security was necessary for college online services.
“I don’t have anything on Sakai that needs to be secure enough to [require two-factor authentication],” Denise Dao PZ ’21 said. “I don’t feel like if anyone got on my Sakai that would be an issue with me personally, but I do understand if people [consider it] necessary.”
Both CMC and Pitzer provide options for students to avoid using two-factor authentication every time they sign in. CMC students can choose to have the program remember them for 30 days, and Pitzer students can have it remember them for 24 hours.
Some students expressed support for the program.
“[Having DUO] kind of solidifies, to me, that it’s my account, and that I have this added security in doing that second login,” Sasha Houy CM ’19 said. “I’ve heard from peers that it’s kind of annoying to have to pull your phone out every single time you go on a new device, but I think it adds an extra level of security that makes me more at ease that nobody else is using my profile.”
Before this academic year, the 5Cs decided to implement DUO to improve their online security, and purchased the service in early 2017, according to representatives from the various colleges. Pitzer staff began to be added to DUO last September, Goldstein said, and faculty were added several months later.
After a pilot program last summer, CMC began rolling out DUO to the student body, faculty and staff; the college deployed DUO for all its students over the last two months.
The multi-college move to DUO followed a 2015 Department of Education push for colleges receiving federal funds — which all the 5Cs do — to be in compliance with the Gramm-Leach-Bliley Act of 1999, which requires colleges and universities to protect students’ online data, CMC’s associate director of information technology Bruce Frost said.
“Computer security is a matter of protecting your data, and there’s a tradeoff between security and convenience,” Frost said. “We make decisions; in our case we’re making decisions for security because of government law.”
Following a testing period, HMC began implementing DUO in April 2017 and made it available to students in May 2018.
“Computer security is a matter of protecting your data, and there’s a tradeoff between security and convenience.” — Bruce Frost, associate IT director at CMC
“The feedback we received with each wave of the rollout was positive. Early student testers expressed some concern about having more than one authenticator app on their phones … [but] generally people seemed happy to have additional protection for their own personal data and college data,” HMC’s chief information officer Joseph Vaughan said. “Given the significant increase in security to our campus community, I would say that DUO is completely worth it.”
Other 5Cs are making progress with implementing DUO as well. Pomona College’s Information Technology Services is currently deploying DUO for staff and is planning to expand it to students and faculty.
ITS desktop support specialist Melanie Sisneros said she has used DUO for several months and appreciates the additional security it provides.
“The way I look at it, it’s like, back in the day, people used to not leave their front doors locked. Now, you have to get out your key and unlock the door,” Sisneros said. “Multi-factor authentication is the same paradigm; it’s this extra layer of security and a small bit of trouble, but so far I have not run into big problems.”
Scripps College did not respond to a request for comment.