On Nov. 28, 2018, it was announced via email that access to MyCourses would require multi-factor authentication (MFA) effective Jan. 3, 2019. Following the announcement was a mix of praise and student concerns.
Is there a Benefit?
We already have passwords — these are our first factor in authentication. MFA is a secondary means of user authentication in the login process. That second factor could be a pin, phone login or token.
“It’s essentially an added layer to be able to prove that you are who you say you are,” Aldwin Maloto, information security officer for RIT, explained.
ITS Service Desk Manager Omar Phillips expanded upon why MFA is necessary.
He said, “One of the things that is inherent in higher ed is that our systems are pretty open to the internet.”
In comparison to other organizations that may store highly sensitive information under tight security — banks, for example — colleges and universities must make their information relatively easy to access. Students will need to tap into this data from various locations around the world, especially with RIT’s extensive co-op and study abroad programs. Therefore, it must be on an open network that will allow for global login.
However, that also means opening up the system to more vulnerability, as any individual from Paris, Dubai, Tokyo or anywhere else can also log in, provided they have the user’s login information. MFA makes it doubly difficult to login by adding an extra obstacle to those with malicious intent.
The Journey
When first discussing MFA, staff experts began by asking themselves which systems posed the greatest security risk. Largely, these were employee systems on the back end, such as payroll information. This is where MFA at RIT began.
MFA has since moved further to the back end of MyCourses, requiring all faculty and staff logins to be authenticated through MFA. More recently, it was introduced to the student-side with SIS and TigerCenter, and now MyCourses. This order was no accident, either.
“We intentionally did SIS before MyCourses knowing that usage patterns of MyCourses are different,” Phillips said, on implementing MFA. “We timed it in such a way that we got it in for SIS before the Spring semester enrollment occurred so we could be sure to get a critical mass of students enrolled [in MFA] and comfortable with using the system before we went into MyCourses, where they would see it more day to day.”
This wasn’t solely an RIT decision, either. Federal laws and guidelines such as the Federal Educational Rights and Privacy Act (FERPA) mandate that universities reasonably safeguard academic information, including grades, class schedules and degree progress. The next step includes expanding MFA to other sites that hold sensitive data.
The Feedback
MFA was introduced to MyCourses in early January. This has been met with some uncertainty. Maloto and Phillips have given responses to the concerns.
Some concerns that were brought to attention included the idea that a student may not always carry their phone with them to utilize the Duo app recommended to verify MFA. Similar issues such as their phone battery dying, not having access to their phone at the time, as well as various other reasons were brought up as well. For instances like this, Phillips recommended going to www.start.rit.edu and generating a list of single-use codes that one could print and use when needed. However, if one doesn't have these single-use codes available already, it can be a hassle to generate them in the moment. In addition, this method is not a well-advertised option, and many might not know about it at all.
Other students have asked if they could use other authentication apps aside from Duo, such as Unikey. These other security apps will work with RIT’s MFA system for the most part, though Maloto and Phillips stressed that Duo was still the officially recommended app for users to utilize.
MFA is seen by many students as an annoying obstacle. Maloto and Phillips understand this and explained that they are working on a “remember me” feature. The feature, also launched in January, allows for a single login to grant access to a given account on a specific device for up to 24 hours without having to re-authenticate through MFA. While users will likely still be required to log in with their RIT ID and password, the MFA will not be required during this 24 hour period, ensuring users will see this feature less often while still maintaining its security benefits. The downside though, is that 24 hours may not be as long as it seems. Additionally, because its verification only affects one device, you still will need to go through MFA for every device at least every 24 hours.
Some have also raised the question of whether they could use an external email address as a form of authentication. However, as Phillips pointed out, this defeats the purpose of MFA. Often, they find many use the same passwords for multiple accounts. Even if they aren’t, users who fall susceptible to various phishing techniques will likewise fall victim to them again on their second account. Therefore, if malicious individuals can find the login information for one account, they can likely find it for another. MFA works to add a layer of extra security that a secondary email wouldn’t provide.
Finally, there have been jests that many students don’t think MFA is necessary.
“We see it occasionally on Reddit that a few people ... have said, ‘Who cares if somebody gets in my MyCourses account?’” Phillips said.
He explained that, while a student may not personally mind if someone looks at their grades on MyCourses, it may be extremely important to others, as well as to the university itself. Maloto added that there are many areas of the MyCourses site that holds very sensitive information too, such as student schedules and class lists. Through these, people can figure out where an individual can be expected to be at any given time, as well as who they might see. There is a growing wave of socially-engineered scams that utilize personal connections. By accessing an individual’s class list, someone could send an email to those students claiming to be the user whose login information was stolen and trick them into forfeiting their own login information. This is known as lateral movement, using one person’s compromised account as a jumping off point to expand their network.
Therefore, by adding MFA to MyCourses, the university isn’t just protecting an individual’s information, but the information of those who share classes with them. Although some of these situations seem drastic, it's always a possibility as Phillips stated.
“These aren’t hypothetical situations — these things happen,” he said.
MFA has its positive and negatives, but the number one priority is always safety, no matter the inconvenience.