I Tried… Multi-Factor Authentication for a Week


Tony Wu

NYU MFA (multi-factor authentication) is a feature rolled out by NYU ITS that adds an extra layer of your security to your NYU NetID. By requiring you to approve a login attempt on your smartphone, it makes sure that in case your password is stolen, your NYU account is still safe (unless your phone is stolen as well.)

Natalie Chinn, Staff Writer

Despite endless emails from the NYU IT Service Desk, you probably haven’t installed Multi-Factor Authentication yet. The opt-in program has been available for NYU students since last May and will become mandatory for students starting Nov. 6.

In a nutshell, MFA is an extra layer of security for student, faculty and staff’s private information in NYU’s online database. With MFA, every time you access your NYU account, you must authorize your login on a cellular device. It’s equivalent to Trader Joe’s double-bagging your groceries to make sure nothing falls out. I tried it out for a week to see what it was like, and how the program could improve before implementation is mandatory.

Day 1
Following the instructions to download the Duo app to install MFA was simple and straightforward. Immediately after installing MFA, I used my phone to log into NYU Home on Safari. After putting in my netID and password, three options appeared: “Send Me a Push” (to the Duo app), “Call Me” (on registered cellular device) and “Enter a Passcode” (from the Duo app).

I chose the push notification and instantly noticed that I had to manually switch between apps to approve the login. For iPhone users, this means a lot of double tapping of the home button. This problem was solved by the return button in the top left corner of iPhones, which returns to your previously used app. Logging in with MFA on a computer was much easier; however, you will need your registered smart phone at hand.

Day 2
As I rushed to check NYU Classes while walking to class, I discovered that MFA logs you out of your NYU account every few hours. I had completely forgotten about MFA and had to go through the process of approving my login on the Duo app. It was pretty annoying, but I accepted the fact that this was going to happen for the rest of my NYU career.

Day 3
I had been avoiding NYU Classes all day. Even though the authentication only adds 30 seconds to logging in, it felt like a waste of time. Today I tried “Call Me” instead of the push notification, and it was more efficient. A call was sent to my phone, and after picking up and dialing a random number, I was automatically logged in. This was helpful because I didn’t have to unlock my phone.

Day 4
Today I tried using the “Passcode” option, which took three times as long as calling. This function is only useful when your phone is not connected to Wi-Fi or data. I also tried the “Remember me for one day” option today, which led to the best 24 hours of my whole week.

Day 5
I wonder how MFA will affect classroom efficiency. Today, while my professor logged into her NYU Home to access her Google Drive, I wondered how much longer it would take with MFA. She’d have to retrieve her phone from her bag and go through the whole process in front of the class. It’ll also be interesting to see how professors with strict no phone policies deal with MFA in the classroom if students need to log in to NYU Home in class.

Day 6
Using MFA is becoming exponentially more annoying, but easier to remember. However, I realized today that if your phone is broken, dead or lost, you won’t be able to access your NYU account unless you register a backup phone. This is the biggest flaw in the system.

Day 7
Even though I’m adjusting to logging in with MFA, it’s difficult for its benefits to outweigh its inconvenience. MFA is a disaster waiting to happen, especially for students. I’m dreading the day I forget my phone at home and need to access a presentation on NYU Drive for class. I wish NYU had a better way of securing our information, and I hope it can find a more efficient system for students to use in the future.

Email Natalie Chinn at [email protected].