Starting on Nov. 26, students will be required to sign into Student Center and Student Essentials through a two-step login process, which the administration believes will significantly improve the security of personal information.
“This step [Two-Step-Login] may cause inconvenience, but we believe it is worth the effort to protect students’ account[s] and data,” said David Lifka, vice president for information technologies and chief information officer for the University.
Two-Step Login means that students have to confirm their identity on a separate device before logging in. They can take a call on a registered phone, tap “Approve” from an app called Duo Mobile, enter a code from either the app or a keychain or tap the button from a USB device, which are available for purchase online.
Lifka noted that the number of compromised accounts has been much lower after they created the Two-Step Login. Security has vastly improved because adversaries will need to have not only a person’s password but also access to their secondary authentication device.
Bypassing the Two-Step Login is “not impossible but highly improbable,” Lifka told The Sun.
Students will be required to use this method to access sensitive information, but Two-Step Login is not new.
“Faculties have been required to use Workday Two-Step Login since June 2017,” Lifka said.
Furthermore, students can also opt to expand use of two-step login to all Cornell services that require a login.
Asked why Cornell chose Duo, Lifka pointed to its flexibility. Besides using the app on smartphones, students can purchase a Duo Hardware token at The Cornell Store or have the Duo call a landline phone, he explained. Tokens at currently retail for $25.
Duo is also able to monitor fraudulent activities through responses on the app. If someone is trying to access your account, users are able to report this activity firsthand, before damage is done.
If a student loses their phone, Lifka explained that they can always call the IT Service Desk for assistance if this is the only secondary authentication method. He also recommended that students enroll more than one device to avoid this scenario.
Meanwhile, to alleviate the inconvenience from repeated authentication, Lifka pointed out students can opt to select the checkbox to “remember the device for 24 hours”.
“We are constantly evaluating new methods to improve the security of all systems and the people who use them,” Lifka said about next steps.
“As new methods become available and viable for the Cornell community, we will be sure to give users ample lead time to understand them, their impact, and best practices for their use,” Lifka said.