UMN to roll out new two-factor security sign-in

The new sign-in will be implemented gradually over the next year, beginning in November.

Joey Gunderson, a service desk team lead, poses for a photo on Tuesday, Oct. 16, 2018.

Will Tooke

Joey Gunderson, a service desk team lead, poses for a photo on Tuesday, Oct. 16, 2018.

Caitlin Anderson

In an effort to prevent cybercrimes, a two-step security sign-in for all University of Minnesota websites and applications will be rolled out in November and implemented over the next year. 

Two-factor authentication, provided by the security provider Duo Security, is the newest mechanism by which students, faculty and staff will sign into University websites and applications. This double sign-in process includes something known by the individual, such as a username and password on University websites, and something the individual owns, like a mobile phone or tablet.

“Passwords just simply aren’t enough anymore. Phishing and other cybercrimes have made it too easy for accounts to be compromised these days,” said Jake Fleming, a senior project manager for the Office of Information Technology.  

Two-factor authentication is a method of confirming people’s identities accurately, Fleming said. After signing onto a University website or application on a device, the second step will be confirming the sign-in through a push notification, a call or a passcode.

While there has not been a widespread instance of cyberattacks at the University, he said there have been isolated incidents. 

“The University is fortunate to not have had a widespread phishing or other types of cyberattacks. As they become more frequent and deliberate, it’s important that institutions like the University implement solutions to protect data,” he said. 

Some students, faculty and staff at the University have had their paychecks or financial aid stolen from password theft, according to an information page provided by IT. But this is not the sole reason for the change, said Joey Gunderson, a service desk team lead in IT. “It allows everyone else to be more secured and not [have] to worry about there being an increase [in cyberattacks],” he said. 

Some University students said the extra step may be annoying, but understand it’s necessary for increased security. “I get the security measure of it, but there’s going to be a lot more students asking for help,” said Cortney Tolson, a freshman at the University.

While two-factor authentication will be rolled out Nov. 1, students won’t need to enroll until their annual password resets. 

“If I have to reach for my phone, that feels annoying. But if that’s what it takes, I don’t terribly mind,” said Bradley Kelly, a junior at the University. “I think there’s validity to it. It’s not so inconvenient that it’s worth taking the risk.”

Fleming said his team has been talking to the community about Duo Security. Once people know what it is, they’re less concerned about it.

“We’ve taken steps to try to overall make it as seamless a transition for people,” Fleming said. 

One of these steps is allowing the ability of Duo Security to remember the device used for up to seven days. 

In many other institutions, two-factor authentication has become the new normal. Some Big Ten schools are also implementing similar cybersecurity measures. Universities are often a target for cyberattacks due to the amount of resources and data they have, Fleming said. 

“We’re hoping that we’re helping provide an additional layer of security,” he said.