A Look Inside MFA, 30,000 Users Later
September 8, 2017
In the spring 2017 semester, the Fordham community said goodbye to the time-honored tradition of changing my.fordham passwords every few months, and said hello to a new acronym: MFA. Also known as multi-factor authentication, the system operates in a similar manner to multi-factor or dual-factor authentication systems in place for other services, such as Gmail, Twitter, Facebook and Instagram. By registering a device with the network, my.fordham sends a push notification to or calls users’ devices in order to verify their identity after entering their passwords.
Now several months into operation, over 30,000 Fordham users are enrolled in MFA, according to Lynne Chernow, executive consultant for Fordham IT.
But why was it necessary in the first place, and how exactly do MFA and the Duo authentication app work?
“Hackers target higher education institutions for their intellectual property, personally identifiable information, and financial information.”
“Prior to having MFA, which is sometimes called two-factor authentication, it was mostly a password that was providing security at login to Fordham systems, so MFA provides an additional layer of security in verifying your identity,” said Chernow. “It reduces the risk of unauthorized access to your account, should your password ever be compromised.”
MFA is part of an effort to protect the identity and personal information of members of the Fordham community, according to the 20 page MFA user guide, which states that data security “continues to be a concern in the private and public sectors.” It additionally states that hackers may target higher education institutions “for their intellectual property, personally identifiable information, and financial information.”
The old system of changing passwords was flawed for a few reasons, according to Chernow. Among them were the tendency of people to create easily guessable passwords when having to change them frequently, and writing them in visible locations such as Post-It notes left on desks. “So in some organizations, having to frequently change passwords does not accomplish much,” Chernow said.
The best way to use the new system is to use the Duo Mobile app, according to Elizabeth Cornell, Ph.D., director of IT Communications. The app, available on the Google Play and iTunes stores, sends an immediate push notification to authenticate to your smartphone or tablet after entering your password. Responding to the notification will grant access to your account.
“Not everyone uses push notifications, but everyone should,” Cornell said.
Chernow further stipulated that students should be enrolling at least two devices with MFA, in order to have a backup device if one is misplaced, charging elsewhere, or forgotten. The backup device can be a phone, a tablet, or a parent’s phone number, according to Chernow.
Duo stores Users’ Fordham accessIt id, email address, and authentication device info, such as phone numbers. It does not store their passwords.
There are situations, however, where you do not have to verify your identity using MFA, according to the user guide. They include using wired desktops and laptops in administrative and faculty offices and using the wireless network at Health Services and Counseling and Psychological Services. Users can also opt to have their authentication remembered for 30 days when using the same device and browser.
But with 30,000 users, that is a lot of passwords being entered, and a lot of devices connected to the MFA system. Cornell assured me, however, that Fordham IT has taken steps to make sure that that information stays secure.
“Fordham IT will never ask for a password over email,” Cornell said. She added that Duo does not have access to users’ passwords either. “Fordham is very careful in not storing and sharing passwords.” The user manual details that Duo stores users’ Fordham AccessIT ID, email address, and authentication device information, such as users’ phone number.
To help students navigate the MFA system, Fordham IT has a webpage devoted to information on MFA, including separate pages for smartphones and tablets and for mobile phones. Additionally, there is the user guide and a three minute long instructional video on how to set up MFA.