Editorial: 2FA service, a small price to pay for security

Earlier this year, Tufts Technology Services (TTS) requested that students register for the new Two-Factor Authentication (2FA) service, provided by Duo Security. In use by faculty and staff since October 2017, 2FA has been promoted as a necessary service to combat identity theft and further ensure information security. Although it slightly inconveniences access to student web resources, 2FA provides much needed security to everyone on campus.

Universities have been increasingly targeted by hackers over the past decade. A single hacker, called Ag3nt47, leaked personal login details of staff and students at Harvard, Stanford and MIT, claiming to find Standard Query Language (SQL) vulnerability in the university servers in 2013. It seems that universities have been preferred targets by hackers because of glaring security weaknesses in university IT systems. By simulating a cross-site scripting (XSS) attack, Tinfoil Security found that 25 percent of 557 state universities tested were vulnerable. Unsurprisingly, the Identity Theft Resource Center reported that 42 colleges and universities experienced breaches in 2014 alone, and the number has only grown.

If neglected, such leaks will impose blanket costs to the university. TeamShatter, the research department of Privacy Rights Clearinghouse, which researches issues on data protection and privacy, found that a breach of 654,000 records at the University of Nebraska on May 25, 2012 resulted in an estimated financial loss of $92 million. Likewise, the recent federal class action against Washington State University was filed because the data breach involved Social Security numbers and health data that could be used in insurance fraud and other cases of crimanality. Though the most recently documented incident of a hacking of student information at Tufts was in February 2005 at the Mugar and Eaton Computer Labs, the risk and the potential harm of a future security beach remains significant.

The new 2FA service — supported by Google, Apple, Microsoft, Facebook, LinkedIn and Twitter, among others — decreases the risk of account compromises and identity theft. First, one is alerted of a unverified login attempt or an attempted password change. In addition, one receives alerts immediately through a linked device like a smartphone or tablet and can confirm or deny such access requests remotely. Though 2FA isn’t impervious to breaches, as RSA, a security company, revealed that its SecurID authentication tokens were hacked regardless, it makes breaches harder at the very least.

The task of TTS now is to monitor and constantly update the security grid under the new 2FA system. Indeed, TTS has done well to create initiatives to support Cyber Security Awareness Month in October 2016, and should continue to do so. Thus, although additional patience is required to go through a second verification, it is worth the wait.