In case it got lost in your overflowing inbox, as it did for many students, here it is in print: all students must register for DUO by October 29th. DUO is a two-factor authentication system, and it is a protection for your Wellesley Workday and Google accounts. It is necessary due to the ever-growing threat of phishing.
There are several ways that two-factor authentication can work. Upon trying to log in to your account you may receive a text message with an additional code to write in, or a phone call with an automated voice that dictates the code to you. The method that Wellesley will be implementing is the push method, which, according to Wellesley’s Chief Information Officer (CIO) Ravi Ravishanker, is also the most secure. Upon entering their usernames and passwords into either Workday or your Wellesley Google accounts, students will receive a push notification requiring them to confirm that they attempted to log in to their account.
“If somebody else somewhere is trying to log in and you suddenly get a push, you know that somebody is trying to break in,” Ravishanker said.
According to Ravishanker, Wellesley’s security systems thwart massive numbers of account hacking attempts. “If you really look at how many attempts that we thwart, it can be anything from 5,000 to 10,000 attemtps every second,” Ravishanker said. This applies most to staff and faculty, who have all been required to use DUO since last year, and who hackers would be more likely to attack because they “are the guardians of not just [their] own data, but of other people’s data,” Ravishanker explained. This can include the names and grades of students, and the salaries of other employees.
It is important to note that the immense number of detected and thwarted account break-in attempts is only one part of cybersecurity. “There was also an article today saying 90% of all compromises come from within,” Ravishanker said. Often, account compromises happen because users have weak passwords or fall for phishing tactics. This part of the security issue is very relevant to students. “Phishing” occurs when someone makes a user unwittingly give up their password. Since most people use the same password for multiple accounts or websites, this is an incredibly frequent phenomenon. Heather Woods, associate CIO of Wellesley, and Doug Chudzik, the DUO project manager, both mentioned the example of the online textbook rental site Chegg being compromised recently. Students who use the same password they use on sites like Chegg as their school password, and often their same username as well, are immediately compromised; a phisher knows what password to use to access personal information and where.
All three add that another good reason to implement two-factor authentication is that it is becoming internationally recognized as a necessity. Most workplaces have it, and banking accounts or other places that store your personal information also now ask customers to use two-factor authentication. At Wellesley, it has had visible results. The number of people compromised by phishing, particularly in faculty and staff, decreased at first after implementing security education, and then significantly after implementing DUO.
The implementation of DUO at Wellesley has not been flawless as some students have reported having difficulty logging into their accounts. However, the LTS team expect the DUO enrollment and use process to become very easy, or to quickly find solutions to any problems that arise.
In response to the issue that many faculty members do not bring their cell phones to class and therefore could not do two-factor authentication, LTS has given those who need it a YubiKey. It is essentially a USB key which makes up the second part of the authentication (for Google accounts only) rather than a push notification or text message. It requires the person logging in to plug in the key and physically push it to activate it. If other issues arise with DUO, the computing help desk in Clapp Library will have extended hours on October 29th— the deadline for registering.
Activating DUO is not a guarantee of complete cybersecurity. For example, it will only protect your Wellesley account, not any personal accounts. Using different passwords for every account (the LTS team mentions using password managers as a possibility) and changing passwords regularly increases safety. Ravishanker says that laws do not make it easy to trace and recover stolen money or information. So as for the security methods, “As much of a pain [as] it is, you don’t want to come to regret it afterwards”.
