All faculty and staff, including graduate teaching and research assistants, are required to use multiple log-in forms to access Blackboard, Enroll and Pay, and other online resources, as of Oct. 1.
Multi-factor authentication creates other requirements to log in to KU systems, in addition to a general password. The University of Kansas adopted Duo, a system through a free mobile app, to create secondary forms of authentication to log in.
With Duo, after initially logging into a server using an online username and password, a push notification can be sent through the Duo app to a mobile device. After accepting the alert, the user logging in will be allowed to enter the system, according to the KU IT Security FAQ webpage.
The program was implemented as a way of protecting faculty, staff and student identities and personal information within the KU online systems, Interim Provost Carl Lejuez said.
“I will say with 100% certainty we should have done this already,” Lejuez said. “As provost, I can’t support us not having this.”
Lejuez said hackers have used these systems to, for example, send emails posing as administrators requesting KU community members to buy gift cards. With multi-factor authentication, hackers would have a harder time doing this.
The change comes nearly two years after a former student was charged with 18 felony counts after allegedly using a USB keystroke logger to hack into campus servers and change his grades.
Those who do not have smartphones or do not want to download the app onto a mobile device can opt to use what is known as a token, a device that generates a code after a user enters initial login information.
The rollout overall went smoothly, with about 92% of faculty, staff and graduate research or teaching assistants enrolled in the program by the Oct. 1 target date, Associate Director of Internal Communications David Day said in an email.
"Multi-factor authentication is one of the most important steps we could take to protect our campus, including student data," Day said. "In fact, we already know of at least one case where Duo stopped a cyber-attack by preventing unauthorized access to an employee’s account."
The mobile app is the most convenient way of accessing the Duo system, according to the FAQ page. But some graduate students are choosing to use a token instead.
“I would personally rather use a token because KU isn’t paying for my phone bill,” said Neill Kennedy, president of the Graduate Teaching Assistant Coalition. “This goes back to us being treated as workers instead of us being treated as just students.”
Employees are likely already using personal devices for work-related activities such as checking email. The University views Duo similarly, according to the FAQ page.
Others were concerned with what personal information on a mobile phone would be accessible to the University.
“I see this as unnecessary securitization,” said Nathan Pickett, a Ph.D. candidate in geology and member of GTAC. “I did not want to provide all this personal information to KU and also to let them have third-party access to my phone.”
The University does not have access to information on a personal device through Duo, according to the FAQ page.
Pickett said he was not aware of the need for an app or token when the multi-factor authentication system was turned on in his department in August. Though the system was not required campus-wide until Oct. 1, some departments chose to turn it on early.
Pickett struggled to get a token, he said. He had to get special codes from the University’s IT office to access University programs like Blackboard until he received a token.
Anyone wanting to use a token in place of a mobile device will eventually receive one, Lejuez said.
“It may not occur right away. There may be some glitches in the system,” Lejuez said. “Where that’s the case, I think we want to make sure students are sharing it with their adviser, and their adviser is sharing it with the chair … and that we make sure it reaches someone that is able to get them.”