Logging into a password-protected Emory account will require a few extra steps as current Emory affiliates face a new University security system, Duo. The system is designed to protect the Emory-hosted information of all University and Emory Healthcare faculty, staff and students and is being implemented throughout campus.
Duo was approved for implementation at Emory May 2014 in light of the increasing frequency of phishing and security breaches in higher education and is now ready for campus-wide integration, Emory Chief Information Security Officer and Duo Project Sponsor Brad Sanford said.
Duo is a two-step authentication process. According to an email to all University affiliates, Duo will provide an extra layer of security beyond password authentication. If a user attempts to access an application or an account from an off-campus location, the security system will prompt the account owner to confirm the user’s identity using a push notification sent to their phone.
As of Sept. 26, about 45,000 Emory students, faculty and staff have enrolled in Duo, Infrastructure Security Manager and Duo Project Technical Lead Andy Efting said. There are currently more students than faculty and staff enrolled in Duo. However, at 60 percent, students have the lowest enrollment rate of the three groups.
Efting believes that a “lack of urgency” has caused the low enrollment rates, since the Duo enrollment deadlines — Monday, Oct. 10, for accessing any Microsoft 365 services off-campus and Wednesday, Oct. 12, for accessing Online Pathway to University Students (OPUS) off-campus — have yet to pass.
“I think we have good percentages right now, but the more we have enrolled, the better,” Efting said.
The Duo team is taking steps to encourage all students to enroll by the deadlines.
“We are sending emails to everyone who is not enrolled,” Efting said. “We were sending them once a week, but now we are sending them once a day.”
After those deadlines expire, Emory’s system will prompt users to enroll in Duo before they log into their accounts.
Sanford said that simply having user IDs and passwords are no longer adequate security measures for protecting individuals’ information.
“Yahoo just had half a [billion] of their accounts compromised back in 2014,” Sanford said. “So if big companies like Yahoo and other organizations aren’t immune to having passwords compromised, then Emory isn’t either.”
Security breaches and phishing incidents at Emory, such as the August 2013 security breach, can compromise the safety of account information. Some students have already been affected by hacks and scams this year.
“Two weeks after school started … I had so many random emails,” College first-year Esther Jang said. “It was because I got this email ‘from Emory’ saying to fill out this form for some security measure. I pressed the link, and apparently that link caused [a] hack, because Emory would never send out a link like that.”
Sanford hopes that the implementation of Duo will prevent similar breaches.
“[Implementing Duo] is a step that makes sure that if a bad actor gets access to an individual’s password, that [it’s] not really enough for them to access sensitive information in any application … protected by Duo,” Sanford said.
For College senior Chris Stadnick, Duo is a necessary safeguard for student information.
“Having that extra layer of verification will help protect student accounts, especially with all the hacking and phishing going on today,” Stadnick said.
Before Duo, Emory used a security system called RSA for administrative staff, but it was replaced because Duo was “by far the most user-friendly of the two-factor authentication solutions,” according to Efting.
Since Emory began implementing Duo campus-wide March 2016, Emory Virtual Private Network (VPN), Office 365 and PeopleSoft HR have all been paired with Duo security. Sanford and Efting plan to widen Duo’s coverage to OPUS, Emory Healthcare (EHC) Virtual Desktop, Compass and other applications.
Joshua Lee is a College freshman from Pittsburg, Kansas.
