Multi-factor authentication will soon be required for all UVic accounts
Photo via University of Illinois Chicago.
Last year, UVic implemented a two-factor authentication (2FA), or multifactor authentication (MFA), system for employees and students through a third-party app called Duo. The roll out will make 2FA mandatory for everyone at UVic by March 2024. However, some students are questioning whether this app was the best choice.
According to a university spokesperson, MFA was implemented to protect the login credentials of students and staff from security threats such as malware and phishing scams. MFA is also required by UVic’s cybersecurity insurance providers.
One common complaint about Duo is how frequently it requires users to verify their login.
Moise Ruch, a fourth-year political science and business student, explained to the Martlet that using Duo to log into his UVic account once would be fine, but he sees re-authenticating once every week as unnecessary.
“I don’t think I realized that this would be an everyday part of my life trying to sign into my account,” said Zacharie Greenfield, another fourth-year political science student.
The weekly time-out can also occur in the middle of class, forcing students to pull out their phones in order to access Brightspace.
Another common issue with Duo is the phones themselves. Midori Ogasawara, an assistant professor in the department of sociology explained that in order to use MFA, you need to have the latest smartphone. If you don’t have these devices, you don’t have access. Duo currently supports Android 11 and up and iOS 15 and up.
Not everyone has a smartphone that can run the Duo App, or a smartphone at all.
Sarah Roberts, an art history graduate student, explained that she lost access to her UVic account when she lost her phone. The Help Desk was closed for a holiday at the time, and as a result, Roberts had to wait a few days before getting back into her account. Although she had a back up phone to use, the device was too old to run the Duo app.
While the Duo app is UVic’s suggested MFA service, there are alternative options. Students can use app (such as Google Authenticator or Microsoft Authenticator), a physical Duo hardware token, or a set of backup sign-in codes. All students interviewed were unaware of these options.
Duo was chosen because it passed UVic’s Privacy Impact Assessment. According to the university, Duo is also “the industry leader in higher education because it supports the most diverse set of services, technologies, and devices out of all 2FA providers available.”
The Duo mobile app uses a pseudonymized mobile data analytics provider to gather data on how users use the app and a pseudonymized crash report service. According to the website, it cannot ‘see’ what users do in other apps, and users can disable this feature on Duo v3.24 if they choose.
While some see it as a hassle, political science student Greenfield emphasizes the importance of protecting students’ accounts. “There is very valuable information about what you’re studying, where your finances are coming from, all these sorts of things can compile to draw an image about you,” Greenfield told the Martlet. “In today’s world, algorithmic data programs can infer things about you that could shock people thoroughly.”
