Colby Information Technology Services (ITS) will require multi-factor authentication to sign into all College accounts starting Jan. 4, 2021. The requirement has already been put in place to sign into Workday, the website that student workers have been using to log their hours since the start of the fall semester.
Dennis Tuttle, Information Security Analyst at the College, told The Colby Echo that the step is supposed to ensure that students, faculty, and staff are the only ones who can access their own accounts.
“The idea is if somebody was to get your credentials, like your username, to Colby, if they were to figure out your password and be able to get in, they could get in from anywhere,” he said. But, “If we have multi factor [authentication], it’s going to push back to your phone and your account and it won’t let them in, so it gives us an extra level of protection.”
The risk of College accounts being compromised is that someone could “plant a file on Google Drive that would contain ransomware and they could actually do other things to infiltrate the network,” Tuttle said.
Ransomware is a type of malicious software, or malware, that prevents a user from accessing their files until they pay a fee to unlock access to it.
According to Tuttle, authentication works by requiring that a user use something they know, like a password, something they are, like facial recognition, or something they have, like a phone, to get into an account.
The multi-factor authentication process uses both the first and last options: users must still enter a password to get into their College accounts but they must also now affirm that it is them by entering a code texted to their phone or responding to a push notification sent to an app called Okta Verify on their phone.
The College has paid for a license for Okta Verify for up to 5,000 users, which Tuttle said covers all of the accounts needed across campus.
So, if someone were to get a Colby users’ password, they would not be able to access their account.
“If their account credentials are compromised [someone] can use the password to log in as their Colby account. If you have multi-factor authentication, you can’t use that. The password alone isn’t going to let you into the systems, so that’s the goal,” Tuttle said.
Tuttle said that he is not concerned about students having an issue setting up multi-factor authentication. He shared that around 800 students have already signed up for Okta because they need to use it to log their hours for campus jobs on Workday.
The finance department of the College has also been using multi-factor authentication for some time to log in to the applications that they use. Moving forward, once students and faculty are all set up with multi-factor authentication, ITS will seek to set it up for all applications that contain sensitive information on campus.
Tuttle said that the FBI has issued warnings about an increased risk of ransomware targeted at healthcare organizations and peer institutions to the College. He relayed that cyber security incidents had occurred at Trinity College, Amherst College, and the University of Vermont Medical Center.
The COVID-19 pandemic has also opened up avenues for spam messages that include phishing, attempts to pose as a company in order to get information like passwords or credit card numbers from someone, Tuttle said.
This has motivated the College to implement multi-factor authentication this winter. Tuttle said that Bowdoin College and Boston University use multi-factor authentication for at least some of their accounts.
While this extra step may be seen as an inconvenience, Tuttle said that once a user has authenticated their account on one application, they will be able to use that account across other applications.
“We’re trying to make it as simple as possible by having you authenticate once and having that authentication shared among other applications,” he said. “So, you don’t have to multi-factor to Workday and then multi-factor to your Gmail account. We’re trying to implement it so it’s the least friction as possible and it makes it as easy as possible to navigate.”
For students, faculty, and staff without smartphones or who do not want to connect their Colby accounts to their phones, ITS can issue yubikeys. Yubikeys are small USB-like devices that can be plugged into a user’s computer to provide the second step of authentication. Tuttle said that ITS has already issued yubikeys to some Workday users this semester.
Tuttle makes it a point to tell those around him that there are risks associated with sharing certain information on social media or not protecting their login information, and is glad that College accounts will be more secure come January.
“We just want to make sure that students understand that there are people out there that can leverage information that they post online and can leverage their account data if they get unauthorized access to steal your identity and actually try to commit fraud in other ways,” he said.
For resources on information security, like how to secure your internet browser, avoid fraud, protect against phishing and ransomware, safely use social media, and securely travel internationally, go to http://www.colby.edu/informationsecurity
~ Sonia Lachter ‘22