Deadline approaches for two-factor login

Photo by Casey Gomez

The transition to two-factor authentication for all Tech accounts is in full throttle. Students on main campus have until Oct. 16 to sign up for two-factor authentication, or they will be locked out from online services until they get around to registering, at which point they will regain full access.

Students can ask anyone already enrolled in two-factor authentication to help them register using Passport. Once enrolled, students have the option to choose between using a push notification, a phone call or a text message in order to verify their identity.

Jimmy Lummis, chief information security officer with Tech’s cyber security team, stresses that multi-factor authentication is essential to protect students, faculty and staff from having their accounts compromised by online ill-doers.

According to Lummis, ensuring cybersecurity at universities is a real and ongoing concern. He shared that even this past week, a top university in Virginia was hacked and large amounts of money were stolen from several students’ accounts and transferred to the hackers’ bank accounts.

“The number one attack vector that hackers use today is what’s called social engineering,” Lummis said. “Social engineering essentially is a scam, right? It’s a form of trying to trick a person into getting what the bad guy wants.”

What “the bad guy” wants first is usually credentials — a login and password, typically — that can get them access to financial or other sensitive information.

Tech may be nationally ranked for its academics, but its students aren’t infallible when faced with phishing attacks and other threats.

A 2015 report released by the Tech cyber security team found that despite three years of efforts to increase awareness on such scams, when the first phishing exercise was released in fall 2015, nearly 22.1% of the Tech population both clicked on and provided their credentials to a suspicious link.

Students who went through cyber security training sessions only clicked on those links at a rate of two to five percent, according to Lummis. But he says even that percentage is too high.

“The problem with relying on education and awareness is that two to five percent of a school that is about 35,000 people is still a really large number,” Lummis said. “As a student, you have access all of your own personal information, including your sensitive personal information that we store on your behalf … your banking information is stored inside of that system, if you’ve ever made a payments to the Institute, your student loan information has been there, including your parent’s financial history, and all those sorts of things. As an exchange of information occurs between the student to the Institute, we then become responsible for protecting that information on your behalf.”

In response to these concerns, the cyber security team began to have discussions with the administration on implementing two-factor authentication in late 2013, and began using two-factor authentication on administrative and IT accounts soon afterward.

Tech chose to use Duo Security, which allows second authentication through a tiny USB device or hardware “token” in addition to push notifications or codes received by SMS, phone call or app. Duo allowed Tech the flexibility to tailor the two-factor authentication process to fit the process.

After an initial testing period with the College of Architecture (which is now the College of Design), the process of moving faculty and staff over to use two-factor authentication began in Jan. 2017.

Early discussions with student groups made the team rework the system so that students could help each other register in the hopes that it would speed up enrollment.

After initial success with faculty and staff rollout, OIT moved to students attending main campus full-time in the fall semester, who are the only students required to enroll by Oct. 16.

Getting the word out has not necessarily been straight-forward. When informing faculty about two-factor authentication, they sent out emails, gave presentations, and provided a quick reference guide to administration, finance and IT professionals. The student body, on the other hand, is much larger and not as responsive to traditional communication channels like email. Although OIT has held tabling events and put up paper and digital signage, they say that the most effective and universal method has simply been adding an alert whenever students login into their accounts. In addition to added security benefits, under two-factor authentication students will not only be required to change their passwords on a yearly basis.

Only approximately 11,000 of the 20,000 full-time students on main campus have signed up. They expect there to be a surge in sign-ups as the Oct. 16 deadline nears. More information can be found at