USC implements multi-factor student identification
Jihoo Kim’s struggles with the Duo two-factor authentication system come in the form of small annoyances. Having to run from room to room to check the connection on her phone while working on her computer poses a problem for both Kim and her roommate, the former, who missed “so many classes” on Zoom in due to the double authentication requirement. Since cellphones aren’t allowed in some of her classes, Kim found Duo, which works exclusively on cellphones, a “hassle.”
Beginning January 20, students were required to use Duo to add additional protection to their USC systems requiring the NetID login process. Although Kim, a young international relations student, understands the importance of security and information protection, she is one of many students who are not “big fans” of Duo.
The prevalence of ransomware incidents around the world has “regulators and insurers [sic] now requiring an additional type of protection for email accounts,” according to Gus Anagnos, information security officer at USC. A ransomware attack occurs when a hacker hijacks the system containing sensitive information and demands a ransom in exchange for unlocking the system. The added protection through programs like Duo, known as Multi-Factor Authentication, helps increase the likelihood that the right person will log into that email account.
“Think of it as an alarm code in addition to your front door key – to better prevent criminals from using your USC email to send malicious emails to other members of the community Trojan horses, including those that have access to sensitive data and systems,” Anagnos wrote in a statement to The Daily Trojan.
Nicolas Marquez, a first-year business administration student, said he thought Duo was a safe alternative and was relatively effective and easy to use. But Duo’s process still bothers him.
“It’s annoying, especially when you just need to go into MyUSC or get something fast,” Marquez said. “Sometimes some of my friends don’t have Wi-Fi or their phone is dead so they can’t even connect to their computer.”
Although the change is recent for students, University staff members have been using Duo for a few years. For Jenn de la Fuente, assistant professor of public relations, Duo was awkward at first but has since “blended into the background”.
“It’s something people have to get used to,” de la Fuente said. “There are so many things tied to our USC ID that it’s almost obvious to have an extra layer of security.”
According to Anagnos’ statement, Duo’s implementation is intended to protect sensitive user information, including addresses, birth dates, social security numbers and medical records.
When logging in, Duo offers three authentication options after a username and password: “Push me”, “Call me” and “Enter passcode”. According to the Duo Guide, Duo recommends using the “Duo Push” feature, which can only be done through the Duo Mobile app.
Carol Zhou, a second-year public policy student, recently discovered the Duo Mobile app, but only used the call and text options. Zhou said his problem with Duo was his “timing”, as the app often loads slowly and takes a long time to call him.
“Entering the code takes a long time because it doesn’t enter automatically,” Zhou said. “And when [Duo] calls me, I don’t want to disturb the people around me… I understand where it’s coming from, but it’s so embarrassing.
Although considered troublesome, MFA services like Duo can block up to 99.9% of account compromises, which are a very common entry point for ransomware attacks, Anagnos wrote.
As someone who has been hacked before, de la Fuente said she also uses two-factor authentication on her personal Gmail account for the extra layer of security it provides. She said she thinks people need to be aware of internet safety.
“It’s a smart idea to implement in a lot of other things in our lives,” de la Fuente said. “We do so much by email. We have so much of our information online.