Tufts implements two-factor authentication

10/10/17- Medford/Somerville, MA - A YubiKey is a hardware Universal 2nd Factor (U2F) device which emits a unique one-time password, allowing users to securely log in to many popular websites. The new Tufts 2FA system supports YubiKeys. (Evan Sayles / The Tufts Daily)

All Tufts students will be required to use two-factor authentication (2FA) for Trunk, Tufts email, Canvas, Box and eServe by April 1, 2018, according to Christine Fitzgerald, manager of service marketing and communications at Tufts Technology Services (TTS). Students will later have to use 2FA on their SIS accounts. 

2FA is a digital security measure that requires people to confirm their identity using a second device when they sign in to key accounts. According to Fitzgerald, this would mean when students log in to an account on their computer for example, they would receive a push notification on their phone confirming their identity.

Fitzgerald said the transition to 2FA is already underway.

“All of Tufts faculty, staff and affiliates are required to use [2FA] as of September 30, and this implementation is almost complete,” she said. “For students, we have a longer timeline. That said, all student workers will need to enroll by October 31.”

Margaret Gorguissian, a junior majoring in computer science, told the Daily in an electronic message that 2FA is a practical measure for Tufts.

“It is an excellent way to prevent unauthorized access to accounts,” Gorguissian said.

Evgeni Dobranov, a junior majoring in computer science, agreed, noting passwords are not sufficiently secure.

“Having robust security systems to protect our information is vital,” Dobranov told the Daily in an email. “Passwords aren’t as secure as they once were, but 2FA offers a large measure of security.”

Fitzgerald noted that 2FA cuts down on security risks and the costs associated with containing damage from leaks and digital attacks.

“It protects [students and employees] from identity theft and months of trying to undo the compromise,” she said. “The pain of trying to recover after a malicious attack is much worse than the perceived inconvenience of having to verify your identity when accessing certain services.”

While 2FA can stop some attacks, the system is not being implemented as a response to the TuftsLeaks that occurred earlier this year, Fitzgerald emphasized. She said Tufts employees have had their information compromised prior to the leaks, and the implementation of 2FA is intended to reduce those incidents in the future.

“Two-factor authentication has been used for a number of years at Tufts for many of our back-end systems and this implementation was underway at Tufts well before the leaks,” Fitzgerald said.

Other universities also use 2FA, Fitzgerald noted, including Harvard, Brown and MIT.

Gorguissian added that, while 2FA is useful in preventing some kinds of attacks and leaks, it is not a universal solution.

“I have noticed that we’ve had a few phishing scams (that TTS has notified us about), and 2FA doesn’t really protect against phishing,” Gorguissian said.

Because of the complexity of the systems involved, implementation of 2FA is expensive and time consuming, Fitzgerald said; however, she said the cost was planned for in the TTS budget and was outweighed heavily by the savings on security and containment costs. Fitzgerald added that fixing and securing compromised accounts can be costly and can lead to direct costs to employees, including stolen paychecks and W-2s.

“The 2FA program costs are part of our overall risk and compliance measures and built in to our budgets for ensuring IT security at Tufts,” she said.

The primary objection to 2FA, Gorguissian said, was its inconvenience.

Grace Konstantin, a junior majoring in cognitive and brain sciences, agreed the program is a nuisance, but ultimately useful.

“It’s one of those things that you know you should do, but it’s also hard to get past how irritating the whole process is since the threat you’re protecting yourself from isn’t really visible, but I guess nothing on the internet really is. It’s annoying but ultimately helpful,” Konstantin said.