Over the past year, the University’s Information Technology Services has been rolling out the two-factor authentication software DUO to faculty, staff and students. Seeking to dispel misconceptions about the software, University Chief Information Officer Jim La Creta, Director of Networks, Systems and Security David Albrecht and Communications and Change Management Specialist Christine Jacinto met with the Justice on Wednesday for an interview. 

Albrecht explained that DUO is “a way to better protect user identities,” which requires a password and a “form of authentication:” either a push notification from the DUO app, a text, a phone call or a hardware token. The tokens are small devices, he said, that “spit out pseudo-random numbers that would correspond to numbers that would pop up on the app that you would type in for the second factor of authentication.” Albrecht said that 300 people have requested the token for several reasons — “they don’t have a phone, or they have a phone but want a token, or they don’t want to use any of their own devices whatsoever.” The easiest method of authentication, he said, is using DUO’s mobile app.

Albrecht said that “Brandeis holds a significant amount of … personally-identifiable information,” and under laws such as the Family Educational Rights and Privacy Act, which protects educational records, and the Gramm-Leach-Bliley Act, which concerns financial information, the University is required “to maintain and protect that information.” Additionally, DUO can aid in protecting one’s own personal information, Albrecht said. He explained that for student workers, this includes W-2 forms and direct deposit information.

DUO also protects against phishing, Albrecht said. There have been “malicious emails that have come through that have caused people to enter their password credentials unknowingly to a third party,” he continued, which compromised the accounts. La Creta added that DUO is “part of a larger security program” that includes the ProofPoint software to notify ITS of malicious emails. With DUO, “there’s that second step of verification that makes it a lot harder for an attacker to get through,” La Creta said, as a hacker would need to have much more information. “It’s almost like putting in a second password,” he explained.

Currently, Albrecht said, “over 4,000 people [at the University] … are using two-factor authentication,” including all faculty, staff and “2000 plus student workers.” The rollout began “a little over a year ago,” starting with senior management and ITS staff, then moving on to other departments like the Heller School for Social Policy and Management, the Rabb School of Continuing Studies and the International Business School. 

In December 2018, ITS started working with faculty to get them on board with DUO. Many faculty have been resistant to DUO, and Albrecht stressed that education has been important in changing their minds. For many, he said, DUO disrupts a routine, and the extra step of authentication is inconvenient. La Creta acknowledged that using two-factor in the classroom could be “stressful” because of the extra time necessary to log in to Latte. 

La Creta said that the slow rollout was “very purposeful,” because they wanted each group to give its thoughts about the software’s implementation. With its implementation, La Creta said, “the calls to the Help Desk on this have been minimal,” though ITS is still looking for ways to educate the community about DUO and better “reach the masses.” He also invited feedback from the community.

Sam Stern ’20, a teaching assistant in the Computer Science department, said he thinks that ITS could have used a better method of two-factor authentication than DUO. “Phone apps are terrible, ridiculously inconvenient and the DUO user interface … is not that great,” he said. In regards to the small checkbox that says “remember me for thirty days” — reducing the number of times a user has to go through the second step of authentication — he said it is not easy to find. The biggest problem he has seen with DUO’s rollout has been people like him who do not want to install the app, which include many in his department.

One misconception that Albrecht and La Creta addressed was a stigma around using a token which could indicate that someone does not have a smartphone. Albrecht said that as DUO is rolled out to the entire community, tokens will become commonplace around campus. “To me, there’s not really a stigma of having a token. People are just using for whatever is best for them,” he said. Stern said that “hardware tokens are slightly more inconvenient because you have to press a button and enter a code, but I use one, because I’m not installing that app on my phone.” If someone forgets their device, the Help Desk can also issue one-time passwords, Albrecht said.

Albrecht said that many people may not understand why the University needs DUO. “I don’t think a large part of the community understands the laws and regulations that we have to comply with as an institution,” he said. Two-factor authentication, he continued, is the “de facto standard” and the “least disruptive” form of cybersecurity. Other programs require “constant password changes,” he said. Additionally, if the software crashed, “DUO is quick to resolve the issues,” and crashes happen very rarely, Albrecht said. “In a year, we’ve had two incidents” of software errors, he added.

Stern also thinks DUO will improve cybersecurity. As a teaching assistant, he has access to “legally-protected information,” he said. “It’s the school’s obligation, and it’s our obligation as people responsible for this data to protect it … as best we can.”

Though many may think that DUO could infringe on their privacy, Albrecht stressed that DUO does not collect data, though ITS is able to see “if someone malicious tries to log in as you.” ITS purges their log records regularly, and staff do not look at the log records unless someone reports a problem.

La Creta emphasized that two-factor authentication is part of daily life at many other companies and institutions, with several banks and Amazon opting in recently. He emphasized the importance of improving security measures. “We get attacked all the time. We just don’t publicize it to the community,” he said.