SUNY Plattsburgh makes cyber security an initiative by implementing new multi-factor authentication for faculty email and banner accounts in hopes of tighter protection against phishing scams and social engineering techniques.
Multi-factor authentication requires the user to have another token of identity verification beyond a username and password. Tokens can come as a phone call, text message or access key provided by the computing systems and desktop support department. Duo is tied in with campus emails and banner accounts and is available on all campus computers.
Last August, SUNY Plattsburgh started a yearly contract with Duo Security Inc,a multi-factor authentication service provider that is “Effective, scalable security that is easy to use, easy to deploy and easy to manage,” according to its website. Duo Security Inc. charges SUNY Plattsburgh an annual fee of $17,160 to provide up to 10,000 users the additional security. However, It does not provide access keys for the campus. Computing Systems and Desktop Support Coordinator TJ Myers prefers users to register their cellphone to the software because it’s easier and more convenient. Myers said the keys cost about $20 individually, so providing every member of campus with an access key would be expensive.
Duo has various security mechanisms that give sensitive information extra protection against intruders. Myers said it works on and offline for phone users and displays a unique access code—that changes every 60 seconds— so the user can log in to their accounts. If a user forgets their password or loses their access key, they will be forced to call the help desk. Help desk employees have been trained to ask questions unique to the user. Myer said they ask a variety of questions including ones specific to one’s banner.
Duo will ask for an identity verification token every time a user logs in and will only work on chrome and firefox browsers. This aspect of Duo became a problem for campus employees who continuouly log into their computer.
“It’s very annoying,” Human Development and Family Relations Lecturer Nancy Hughes said. “Each time I want to [log in], I need my cell phone that I often forget.”
Hughe’s phone battery has to be charged constantly because of its advanced age and poor condition. This slows Hughe’s work down when she’s forced to provide a token of identity verification. Despite this, she agrees with SUNY Plattsburgh’s choice to implement Duo on campus. Myers said professors can avoid repetition by enabling a remember me setting that allows the user to stay continuously logged in for eight hours.
Students currently do not have access to Duo because SUNY Plattsburgh’s contract with the company previously only allowed faculty and staff to be enabled into the system. Myers said the contract has been amended since then so all students will be introduced to Duo by summer 2020.
“We are trying to tighten our security on campus,” Myers said. “We are trying to prevent an imposter from using social engineering tactics to hijack an account for malicious purposes.”
Myers said introducing students to Duo should be “less painful” than it was with faculty members because of today’s digital culture.
SUNY Plattsburgh senior Ellen Miller has had three different phishing scams appear in her email. She said the advanced security is a good idea but is sure phishing scams will stay present on campus.
“I don’t want to say our emails are completely safe because they will never be,” Miller said. “People can find ways [to hack one’s email].
Myers said implementing Duo will assist campus cyber security greatly.
“We want to make sure every account on campus is protected,” Myers said. “We don’t know what every account has access to. We might as well protect them all.”