The University Insider is The Daily’s first faculty and staff-oriented newsletter. This weekly newsletter will give U-M faculty and staff the ability to see the most important issues on campus and in Ann Arbor — particularly those related to administrative decisions — from the perspective of an independent news organization. It will also provide a better understanding of student perspectives.
Beginning Wed., Jan. 23, all University of Michigan student-employees, faculty, staff and sponsored affiliates will be required to use Duo Two-Factor Authentication, a program which verifies one’s identity online through the use of two factors: a password and a second device, such as a smartphone or tablet. The change is an attempt to increase IT security across the University’s Ann Arbor, Dearborn and Flint campuses.
Though students will not be required to use the Two-Factor Authentication system, those who work for the University and do not enroll with Duo by Jan. 23 may experience delays using University services including Wolverine Access, Canvas and Box at U-M. Student-employees may not be able to check their Google Calendar, check their email or take an online quiz or exam.
LSA junior Yara El-Tawil worked as a research assistant at the Rogel Cancer Center and was required to download Duo Two-Factor Authentication. While El-Tawil understands the need for cybersecurity, she does not believe Duo is necessary for students like her who do not have sensitive information on their University accounts.
“For me, it doesn’t make a lot of sense to have to use Duo since I have almost nothing on my account that’s in danger of identity theft or anything like that,” El-Tawil said. “But I guess since there’s been a lot of data leaks and stuff, the safest thing to do is just to go through all of it, regardless … because then you have a blanket, you can’t compromise any other accounts. But also it’s just really annoying. It makes sense, it’s just unfortunate.”
LSA sophomore Joey Pongrac said he agrees. He waited until the morning of Jan. 22 to install the Two-Factor Authentication. Pongrac works at the Science Learning Center as a facilitator for organic chemistry classes and believes the system is of no value to him since he is not concerned about individuals hacking his account.
“They said it makes my account more secure, but I’m not really worried about anyone hacking into my account in the first place,” Pongrac said. “It was pretty easy to install and it wasn’t a big deal. It took like five minutes. It’s what I expected, it’s just a waste of time, but it’s fine I guess.”
DePriest Dockins, director of Identity and Access Management at the University, said the introduction of Two-Factor Authentication was not due to any specific instance of security breaches in the University, but rather was due to the risk having minimal cybersecurity poses. Two-Factor Authentication was one of the easiest ways to ensure cybersecurity at the University, Dockins said.
“Two-Factor Authentication, as it turns out, is one of the most straightforward things you can do to protect the University’s resources,” Dockins said. “It’s something you know — so your uniqname and password — and something you have, which is a code or your mobile device. So somebody has to have all of those things in order to get into a resource.”
To turn on Two-Factor Authentication, University staff has to go to duo.it.umich.edu. Those looking to install Duo can download the Duo Mobile app onto their phone and tap the University of Michigan account to get a passcode. The next step is to select “send me a push,” which will send an authentication request to their device. They will then unlock their phone, open the push notification and tap the green button to approve.
El-Tawil said the process of downloading Duo was relatively simple, though logging in presented a problem when she was unable to access her smartphone and the seven-day verification expired. Users can check “Remember me for 7 days” so they do not have to authorize the Two-Factor Authentication each time they log on, as long as they use the same device and browser, and the browser does not block cookies.
“(The program) gave you steps to follow, and so it wasn’t hard per se, it was just annoying to get used to,” El-Tawil said. “If I was logging onto something without my phone there, or if my phone was dead, it would just be a hassle to charge it if the seven-day verification was off. That was the biggest problem — was not having my phone.”