Multi-Factor Authentication Use Still Low, Despite IT Department’s Efforts

Helen Crosby

NYU IT has implemented multi-factor authentication to add another layer of security to academic sites.

Helen Crosby, Contributing Writer

NYU Information Technology is currently implementing the use of a new Multi-Factor Authentication security system for its websites in response to previous instances of hacking.

Thus far, only 15 percent of the student body has signed up for the system despite the fact that NYU will soon make Multi-Factor Authentication a requirement for all students and faculty who use the university’s single sign-on websites, which include all sites that require your NetID and password, according to Associate Vice President of Service, Security & Compliance Kitty Bridges.

MFA requires individuals to verify their identity on another device — usually a mobile phone —  before logging in. For example, after logging in initially, users can enter a code sent to them via text or answer a phone call after which they can access the site.

People using a mobile device as a means of verification can download the Duo-Mobile app, which will prompt them with a verification push notification. After corroborating that they are, in fact, trying to log in, users will be allowed access to the website.

NYU has had previous issues with hacking, which prompted this new security measure. Last academic year, WSN reported that NYU had been the target of more than one hack. Additionally, there have been problems with email hacking in recent years.

“I think that it’s a beneficial thing to have system-wide, especially considering how many times NYU has had email hacking problems,” Steinhardt senior Amy Shih said.

On Aug. 1, a post on the NYU IT Facebook page stated that this fall, NYU MFA would be required to access NYUHome, NYU Classes, NYU Email and other services.

However, despite these goals, the start date for requiring MFA among all users has still not been established. According to Bridges, the IT department is still working on selecting a date at which MFA will become required even though some students seem unaware that MFA is soon to be mandatory.

“I don’t think many people know that it will be required soon,” Shih said.

MFA has been used at NYU for some staff accounts for several years now. According to Bridges, employees of the university have been using MFA since 2016 in order to access Peoplesync, a website used for direct deposit and other employee resources, and the technology has also been used for some IT accounts before then.

The application of MFA to Peoplesync was set up in response to issues that compromised the redirections of direct deposit money.

“The initial impetus for this was redirection of Direct Deposit to other bank accounts,” Bridges said. “These redirections took place when account credentials (NetIDs and passwords) were compromised — either through responding to phishing attempts, using insecure wireless networks or sharing passwords.”

MFA is currently being used by most other universities as well, many of which have seen a drop in how many accounts are hacked.

Currently, students and teachers are able to opt-in to the system before it becomes a requirement to access their accounts.

Email Helen Crosby at [email protected]