&nb; Last Friday, March 30, Information Technology Services (ITS) began to require all non-senior students, faculty and staff to enroll in Duo two-factor authentication, adding an extra layer of security to emails, files and data across campus.
Duo requires users to register a secondary device, such as a mobile phone, tablet, landline or USB security key, which receives a verification message upon login to Carleton.edu accounts. According to the Duo user guide, two-factor authentication “prevents anyone but you from logging in, even if they know your password.” ITS first announced the Duo rollout at the end of winter term, and offered enrollment instructions, email reminders and drop-in help sessions throughout March. Those not enrolled by Monday, April 9 will not be able to access their Carleton accounts until they enroll in Duo, according to a March 30 email from ITS.
According to President of the Faculty and Professor of Computer Science Jeffrey Ondich, “Passwords are a good layer of defense, but they’re not on their own invulnerable. And two-factor is a second kind of a way of proving that you deserve to be allowed into an account.” “Two-factor combines something you know—which is your password—with something you have—typically your phone,” explained Computing Support Specialist Kendra Strode ’10. “That’s basically the concept: there’s a second way to prove that you are who you say you are.” “We are obligated to protect your data, as a person,” she continued.
According to Strode, Duo is intended to protect four primary areas of data at Carleton: academic information, financial information, health information and research data information. “We don’t want Duo to be driving people crazy,” Strode added. “Realistically, if everything is configured correctly, they should have to do Duo two to three times every few months.” Duo has been available on an opt-in basis for the Carleton community for a couple of years, said Strode.
Administrative departments that “directly handle more sensitive information,” including the business office, Human Resources, Admissions and ITS, have already been using two-factor, she added. The decision to implement Duo campus-wide came within the last year. The Technology Planning and Priorities Committee took the idea to the Tuesday Group, the college’s senior leadership team, who made the final decision. “We are obligated to protect your data, as a person. You’re a student, and you’re our responsibility,” explained Strode. “It may not seem like any individual account has access to that much information. But if you have a campus job, you may have access to information through that connection. Even simple access to the Hub can potentially give somebody the ability to redirect your deposit.” ITS initially considered rolling out Duo by December 31, 2017. “That was a pretty aggressive timeline,” said Strode.
They decided instead to devote the month of March to “really dedicated Duo communication,” she explained. ITS put flyers in mailboxes, tabled in Sayles twice a week throughout March, and held two “Dinner and Duo” events, on March 8 and March 29. Funding for these Chapati-catered sessions came from ITS’ operating budget, which includes money intended to support implementation of changes like this one, said Strode. ITS chose to roll Duo out gradually over a month because “trying to help everybody on one day would be overwhelming,” according to Strode. “Also, that one day may be great for half of campus and horrible for the other half. Giving some flexibility for when folks made the switch was important to us.” Ondich went on to explain that two-factor authentication protects against phishing attacks. “Carleton does periodic tests of our security systems,” he added. “In particular, the biggest vulnerability, security-wise, is always people. So they’ll send out fake phishing attacks and there’s always a small set of people––faculty, staff and students––who fall for it.”
Strode noted that, according to a survey of peer institutions with 31 respondents, “80 percent of these responding peer schools offer two-factor in one form or another, and 55 percent require it for at least specific departments, applications, or off-campus access. As of 2017, ten percent of respondents (three of these peer schools) required it for faculty, staff and students, with one school adding campus-wide requirement soon after the survey and at least two others looking to expand coverage of two-factor authentication.” When asked about Duo’s reputation in the two-factor provider market, Ondich said, “the Duo company that Carleton has contracted with is probably the market leader right now in making two-factor easy.” “I think we’re ahead of the curve,” she said. “I think we certainly could have done it sooner, but this felt like a decent time and we’re definitely before a lot of other schools and institutions.”
When the department was considering implementing mandatory Duo, Strode worked with a handful of other schools, including state institutions and smaller colleges. “This is where security is headed,” said Strode. “As an educational institution, if we can help you as students learn best practices to keep you safe both here but also after Carleton—even if it’s a painful transition, that seems like a win.”