A safer campus starts online.
UCLA announced that all campus workers, including faculty, staff and student employees, must enroll by Oct. 31 in a multifactor authentication system to log into their MyUCLA accounts. This extra security step requires users to link their MyUCLA to a mobile device, cellphone or landline to have a passcode sent to them after logging into their account.
This new requirement may seem like an unnecessary inconvenience, but the slightly extended time it takes to enter a passcode on top of the usual account password is worth the hassle. Multifactor authentication is a crucial step from UCLA, and it should be a requirement for all incoming students, not just on-campus employees, in order to ensure the most robust online security for as many UCLA-affiliated individuals as possible. UCLA must also encourage returning students to sign up for these bolstered security measures.
Recent cyberattacks on UCLA servers highlight the need for such a move. A cyberattack hit a Summer Sessions and International Education Office server in May. And in 2015, UCLA Health officials announced a cyberattack might have exposed the personal information of nearly 4.5 million people.
It is clear UCLA – and other universities alike – are prime targets of data breaches, and it is not unfounded to assume a future UCLA server breach could even compromise MyUCLA account password lists. Multifactor authentication would help protect against this kind of breach by adding an extra layer of security, so attackers would not only need access to account passwords, but also would need to generate a code to log in – something only the account owner can do on a registered device.
Although students might think a hack of their MyUCLA accounts would be trivial, these accounts contain students’ important personal information. MyUCLA accounts contain banking and credit card information through BruinBill, making identity theft a legitimate threat. MyUCLA is also used to login to the Arthur Ashe Student Health and Wellness Center portal, which contains medical information.
What is trivial, however, is the amount of extra effort multifactor authentication requires each time a user logs in. Students can make use of multifactor authentication by having numeric codes sent to their phones through the Duo Mobile app, sending a text message to their phones or receiving a phone call on a cellphone or landline. The mobile app can even generate numeric codes without an internet connection.
The benefits and ease of use of multifactor authentication are apparent, and it would not be difficult for UCLA to start mandating it be used for every new student account created. At the same time, UCLA should keep allowing – and encouraging – returning students to opt for multifactor authentication to secure their accounts.
Of course, there is the concern students may not be able to access their accounts if they do not have access to their registered devices. UCLA could address this by enabling options like backup recovery codes. Given a variety of existing applications, like Google’s Gmail, have workaround options for multifactor authentication protocols, it would not be difficult for UCLA to implement a similar solution.
There is no way to completely safeguard against all future cyberattacks on UCLA, but multifactor authentication is a much-needed start.
You have repeated the already well known consequences of cyber attacks, but you haven’t established that UCLA’s system is inadequate. To save you some time: In general, lots of things sound like good ideas in our heads, but that doesn’t necessarily mean changes are warranted.
The system UCLA uses already appears to be adequate. If the system is actually vulnerable to threats, then a reform might be necessary. Such vulnerabilities are absent in this article.