In one of the largest steps in recent years to improve campus network safety, Yale Information Technology Services has announced plans to add an additional layer of security to the user login process.
Beginning Sept. 8, students trying to access Yale’s network and resources while off campus will now undergo multifactor authentication, a process by which users prove their identity — in addition to entering their NetID and password — by responding to a secondary prompt on another device, such as clicking a smartphone screen button or entering a code sent to a mobile phone. Employees and staff have been enrolled in the new security measure in stages since this summer. This change comes as cybersecurity risks have grown in size and sophistication, and, as a result, institutions such as Yale have explored new measures to safeguard their community and data.
“The impetus is that on a regular basis people are losing their account credentials,” Yale’s Chief Information Officer Len Peters said. “So multifactor authentication is being used primarily to reduce or eliminate compromised accounts, and we have already seen a significant decrease in the number of compromised accounts because of this [protection].”
Over the course of three days, users from each of the 12 residential colleges will be placed into the new system, in which students will receive an email to register their mobile device, landline or tablet, which will then be used to authenticate their identity when outside of the Yale network, according to an email sent to students Tuesday.
For users outside the reach of the Yale WiFi network — such as those surfing the web at a local coffee shop or inside an off-campus apartment — this new layer of verification will be required to access resources such as Yale email accounts, logging into the Virtual Private Network or entering the Central Authentication Service.
Peters said that in adopting this measure, Yale is joining a growing number of schools that have implemented similar protections for users, including other Ivy League institutions, Duke, the University of Chicago and the Massachusetts Institute of Technology.
“Yale is taking the next step to protect your data and personal information from hackers, identity thieves, criminals and other unauthorized individuals,” Chief Information Security Officer Richard Mikelinich said in a video announcing the new measure. “Imagine all your important data stored in a bank vault, your password is the combination lock … Multifactor is the guard standing watch.”
He added that this protection is “fast becoming” a standard in information security not only for online commerce, but for any place where information is only protected by a single password.
Experts interviewed said this type of additional protection will help decrease the vulnerability of Yale’s systems, which contain sensitive information, whether it is intellectual property, financial records or personal information.
“What you want to do is ensure that no one piece of information gives the criminal the key to the capital,” said Lysa Myers, a security researcher for the information technology security company ESET. “[With multifactor authentication], if [hackers] get someone’s password through phishing or by forcing it, they aren’t able to log in unless they have a second authentication.”
Still, others expressed concern that this type of policy may not be popular with students, who will now face an additional step before getting access to their accounts.
Fred Cate, former director of the Indiana University Center for Applied Cybersecurity Research, explained how “nine times out of 10” better security often leads to greater inconvenience, which makes it difficult for IT professionals to implement these types of safeguards.
“If you say to [users], are you willing to use a more complicated authentication system? Most [users], when it comes down to it, aren’t,” Cate said. “That is where the real challenge will be.”
Kay Teo ’16 said this type of protection is necessary given the threats in cybersecurity.
“It is an essential step because there have been a lot of phishing attacks, especially among the faculty, so it is a good move,” she said.
Peters said he believed students would be receptive to the changes given the amount of attention now being directed towards protecting personal data and account information.
He added that users will have until roughly November to enroll into multifactor authentication before the system requires it.
“We live in a climate where information security is impacting everyone’s lives,” Peters said. “We are in a period where people are very understanding of the necessity of this type of technology.”
According to Yale’s Information Access and Security policy, every Yale NetID password must be changed at least once per calendar year.