The University Insider is The Daily’s first faculty and staff-oriented newsletter. This weekly newsletter will give U-M faculty and staff the ability to see the most important issues on campus and in Ann Arbor — particularly those related to administrative decisions — from the perspective of an independent news organization. It will also provide a better understanding of student perspectives.
On Jan. 23, after nearly a year of deliberation among University of Michigan administrators, Duo Two-Factor Authentication was introduced for student employees, faculty and staff. Duo, a program that aims to protect a user’s data by requiring they log in to websites like Canvas and Wolverine Access using both a password and an alternate device, is mandatory for those employed by the University on all three campuses.
LSA sophomore Charlotte Weisman, a former employee at Maizie’s Kitchen and Market in the League, said she was accustomed to programs that use dual-factor verification and found the process of setting it up fairly simple.
“There are a lot of platforms that use dual-factor authentication, like Facebook and Instagram where they text you a code or something,” Weisman said. “Initially, I was a little annoyed because I was like ‘Oh, I have to set this up, I don’t know if this is going to be a hassle,’ but I found it pretty straightforward and they kind of walk you through the steps.”
Duo Security, an internet-safety provider with offices in three states and the United Kingdom, was founded in 2010 by University alumi Dug Song and Jon Oberheide. According to the Duo website, the company serves over 14,000 customers in 100 countries, including larger brands like Yelp and Facebook. In August 2018, Cisco Systems Inc. acquired Duo in a $2.35 billion deal.
According to Ravi Pendse, vice president of information technology and chief information officer, multi-factor authentication has existed in some form at the University since 2005. Pendse said Duo’s 2FA provides more extensive security coverage than previous verification programs because it is based in a smartphone app rather than an external hard drive.
“In 2005 and even before, when people used other forms of verification, they would not use most of the modern tools that we use today — tools that we carry in our pocket or purses,” Pendse said. “A lot of the things that we do, we do them through smartphone … so smartphone has replaced many things, including the two-factor verification that can be used for using Duo.”
Most 2FA users verify their identity using the Duo Security app and their smartphone, Pendse said. Student employees and faculty, however, can also request a hardware “token” from the University that plugs into their computer for when they are traveling or do not have reliable service.
“One of our challenges was communication — letting people know that while smartphone is the most popular way to use Duo, that’s not the only way, there are many ways you can use Duo,” Pendse said. “(We are) making sure that is communicated over and over again so that people remember it.”
Pendse and other University officials said they chose to switch to Duo in January because of its accessible format and reliability. In an email to The Daily, Steve Edwards, senior manager of corporate security at Duo Security, said dual-factor authentication programs are necessary at colleges like the University because of the amount of data accesible to hackers.
“Universities hold a large amount of information such as sensitive personally identifiable information, payment details and valuable grant-funded research all of which can prove to be valuable to motivated attackers,” Edwards said. “University networks also typically have a large number of online services and applications, which makes them an attractive target to malicious actors.”
Since the beginning of the year. 24 documented phishing alerts have been sent out to the University community warning faculty, staff and students of suspicious behavior by potential hackers. Phishing occurs when a scammer sends out an email pretending to be a credible company with the intent of obtaining a person’s credit card number, password or other confidential information.
Edwards said the prevalence of these phishing attempts makes programs like 2FA necessary for preventing infringements upon private data.
“Unless you’re involved with the information security industry and can stay on top of the ever-evolving tactics attackers use, you’re less likely to recognize the tell-tale signs of a phishing attempt,” Edwards said. “Phishing has evolved far beyond poorly-spelled and formatted emails — the tactics attackers use to fool users have gotten quite advanced.”
While all three University campuses implemented 2FA for student employees, faculty and staff in late January, Michigan Medicine began requiring that all employees use Duo’s verification feature beginning in October 2018 to protect patient health records.
Engineering junior Rebekah Weeks works in the Health Information Technology and Services department of Michigan Medicine as a research assistant and said she welcomed the switch to 2FA because it made patient data more secure. Weeks is also a tutor in the Science Learning Center and uses Duo’s program to protect students’ academic and personal records.
“Especially because my lab is affiliated with Michigan Medicine, it makes a lot of sense to have that extra layer of security — we’re protecting patients’ data,” Weeks said. “Any extra layer of security that we can give to patient data when we’re working within Michigan Medicine or even with student data for my job at the SLC, I think that’s a good step.”
Though University officials like Pendse and Sol Bermann, interim chief information security officer, said 2FA was generally well-received by students and faculty, there were concerns as to if users would view the program as a hindrance to their daily lives.
Bermann said numerous change management initiatives were put in place before and after 2FA was implemented in order to make sure students, faculty and staff were open to the change. He noted how increasing security through 2FA and maintaining a positive experience for students would require extra effort.
“We recognize that there may be challenges for some students if they don’t want to use their phone and so we have a variety of ways that we can let you do your Duo business without you having to use your phone,” Bermann said. “But we are going to do the change management in a very similar way that we did with faculty and staff.”
Sara Rampazzi, a research investigator and lecturer in the department of electrical engineering and computer science, said programs like 2FA are a step in the right direction for promoting internet security, but there is still more work that can be done to ensure complete confidentiality.
When logging in to Duo, students can click “remember me for seven days” so they don’t need to verify their identity twice each time. Rampazzi said while there are guidelines from the University about how to make a password or login more secure, students should also educate themselves about potential security risks.
“The best thing that a user or a university could do is to make available for the user some rules for changing or making the password more secure and even longer,” Rampazzi said. “Another thing that is right now being implemented is that in the interface, you can set up a ‘remember’ for your password for seven days, so you are allowed to automatically log in only if you introduce the password. I think one of the steps could be to reduce the number of days that you can use to enter into the system automatically with just one password.”
Weisman said the “remember me” feature made Duo’s program easier to use, but also noted how more information on how to use 2FA should be made available to students and faculty in order to make the program as accessible as possible.
“If you’re a student who is probably pretty good at using computers or knows basic web stuff, it’s not really a hassle, it’s not really difficult to use,” Weisman said. “But I had a professor who … didn’t know that you could click ‘remember me for seven days,’ so he would have to do it every time. So I feel like how much of an impact it has on you depends on your demographic and how comfortable you are with using the internet and using the security system.”