November 30, 2022
Ithaca, NY | 37°F


Cyber security expands at IC with Duo authentication

Ithaca College staff, students and faculty can expect to find an extra step when logging into Zoom and Formstack Forms. Duo Multi-Factor Authentication (MFA) will now be required to prevent accounts from being compromised. 

The changes were announced over Intercom, with Zoom requiring Duo MFA on March 17. Formstack’s Duo MFA implementation was originally scheduled for March 16, but was pushed back to March 21. When logging in, students will now be expected to answer a phone call or go into the Duo app in order to log into Zoom. Ithaca College is one of more than 300 educational institutions that uses Duo MFA for its programs.

MFA is an electronic authentication method that is gaining popularity with companies — including Bank of America, Facebook and Microsoft. For security purposes, it requires users to use two or more identity verification factors in order to gain access to a website or application. This multi-step verification process helps to reinforce security, while usernames and passwords remain vulnerable to cyber-attacks and being stolen by third parties.

While Zoom was highly utilized during the COVID-19 pandemic, it also experiences a form of cyber-attack known as ‘Zoombombing,’ a practice in which internet trolls hijack calls — inserting lewd, obscene, racist, misogynistic, homophobic, Islamophobic or antisemitic material. Zoombombings have occured during classes at the college in the past. Proven methods to prevent this include not sharing Personal Meeting IDs when hosting public events, asking users to provide their email address when registering for an event and MFA.

“At IC, we will continue to add Duo protection to systems wherever login is required, while also continuing enhancements to our single sign-on systems to reduce how often individuals are prompted to authenticate,” Jason Youngers, information security officer for Information Security and Access Management said via email.

While there have been no immediate threats to security in these programs, David Weil, chief information officer for Information Technology, said the changes were made because of MFA’s ability to deter hacking and to better protect all student, staff and faculty accounts. 

“It really has been shown to be a very strong deterrent to having an account be compromised,” Weil said. “And industry best practices is really recommending that wherever possible, you should put MFA in front of all logins … it really is another layer of protection.”

Duo’s move to Zoom and Formstack was news to some students. Senior Nicholas Isaacs said he was surprised to find out that he would be required to use Duo to log into Zoom. For Isaacs, the change is not entirely welcome.

“I just think it’s too many extra steps,” Isaacs said. “I think that both platforms have enough security … but I can see why the college is doing it. But from a practical standpoint, it’s really not the best.”

For some students, the process of logging in with MFA is tedious. Whenever sophomore Devan Adegbile was without her phone, she said logging into websites became more difficult.

“Sometimes I just quickly want to look something up [on Degree Works] on my computer and I need to … get my phone, but it’s all the way in a different room, so it’s a little inconvenient for me,” Adgebile said.

Isaacs similarly said the process of moving between computer and phone to login has created problems for him in the past. In one instance, Isaacs said he was unable to login because his phone had died and he was not able to access Duo Mobile.

“There’s been cases where my phone’s been off and [I] haven’t been able to get in,” Isaacs said. “I have to charge my phone before I can get in … and I just couldn’t get into the account, so that was a big inconvenience. But other than that, if you have your phone on, then maybe [logging in is] 30 seconds more at most.”

Duo offers a way to speed up the login process by allowing users to remain logged in for 90 days. Whenever a user is asked to use Duo, Weil said it was to ensure the person using the device is who they say they actually are.

“On my computer that I’m using right now, I have not been asked to use Duo at all today,” Weil said. “If I were to use a different machine, it’s going to be ‘Oh, I don’t know who you really are, let me challenge it.’ I know it can be a little frustrating, but it’s using intelligence behind the scenes … it’s not just arbitrarily asking.” 

For sophomore Jesus Burgos, using Duo is just another part of his login process — which is why he said he did not mind the addition of Duo to Zoom and Formstack. Instead, he saw it as an opportunity to further prevent Zoombombings.

“If you get hacked or if someone knows your password, that doesn’t mean they’re going to be able to get into your account,” Burgos said. “I hope that people here are more mature and that [Zoombombings] wouldn’t happen in Zoom meetings and at Ithaca College.”