Nearly Six Months After Rollout, NYU Community Evaluates MFA


Sam Cheng

A student uses the “Duo Push” authentication method to log in to an NYU account.

Paul Kim, Staff Writer

It’s been a little under six months since NYU made Multi-Factor Authentication mandatory for NYU students faculty and staff. While the upgrade in cybersecurity was rolled out on Nov. 6 2017 to the entire university, it was optional for the NYU community to register to for at least over a year beforehand.

In a statement issued by NYU IT to WSN concerning MFA, NYU IT notes that 300 universities have implemented MFA as well as banks, corporations and other institutions.

“Implementing MFA uniformly across NYU is a major step to protecting data — for individuals, offices and the entire university network,” the statement reads.

By making MFA required for all students and faculty, NYU IT is increasing security whether individuals want it or not.

Since its implementation, MFA has been met with mixed reviews. Some have argued that an optional MFA for students would solve some of the problems that critics have risen.

CAS junior Eric Lin, a student employee for NYU IT’s academic application development, argues that if MFA was optional, nobody would opt-in.

“Why do something that you don’t have to?” Lin questioned.

Prior to its mandatory rollout to the entire university, MFA was available to faculty and staff to secure their NYU affiliated accounts. In the past year, NYU has had multiple hacking incidents.

Despite these hacking events, Lin said in a later email that his manager told him under 10 percent of NYU employees signed up for MFA when it was optional.

While MFA was optional for most faculty and staff, it was mandatory for the NYU IT and Human Resource departments as both of these departments have access to sensitive information about NYU said Lin.

Yet another common criticism is that not every student or faculty member has access to a smartphone. Lin points to both the calling and SMS alternatives to Duo Push, the login option that involves a push notification through a smartphone app. However, he also notes a blind spot in this system regarding people without smartphones in foreign countries where SMS and calling are not available.

Professor Juan Carlos Aguirre, a lecturer with the Core Curriculum teaching a first-year seminar “The Art of Nonfiction Narrative” in CAS, said he has found MFA to be disruptive when it comes to accessing online resources during class.

“I think it’s been a little bit of a hindrance in smooth day-to-day usage of that,” he said.

As a professor who strives for a classroom without phones, laptops or tablets, Aguirre has found that being forced to pause class to take out his phone to get into NYU classes often undermines his teaching.

“If I’m telling students not to pull out their phones and then I have to do something where I have to pause and pull out my phone, it seems a little bit less than ideal,” he said

On the other hand, while Zach Schadt, a junior in Computer Science in Tandon isn’t bothered by the time it takes to go through Duo Push, he doesn’t think that the new upgrade in security is entirely necessary.

“I guess if you don’t want to worry about having super complex passwords, you could do the multifactor thing,” he said.

In the six months since its rollout, Multi-Factor Authentication has sparked strong reactions from the NYU community. It remains to be seen whether NYU IT will take these into consideration.

Email Paul Kim at [email protected].