Multifactor authentication. Many of us groan and roll our eyes the second those words are heard, and for good reason.
Multifactor authentication is a security system that asks a user for more than one form of identification for a login into a secure database. The first form of ID essentially refers to a password – something only you would know. Traditionally, this is all that’s been required; but with hacking techniques becoming more prolific and sophisticated, a second measure has been adopted.
And that second measure is probably sitting in your pocket right now: a smartphone.
As excessive as it might seem, multifactor authentication has become increasingly necessary. Over the past few years, UCLA has suffered multiple cyberattacks on its servers: namely UCLA Health’s database and UCLA administration’s server regarding patient and student information. These attacks put our private information at tremendous risk of being stolen.
But the benefits of increased security don’t always outweigh the costs.
UCLA’s multifactor authentication system has proven to be an annoyance at best and a barrier to critical information at worst. A secondary authentication only lasts for a few hours, meaning students must log in multiple times a day, regardless of whether it’s on a personal smartphone or a public computer.
Peter Reiher, an adjunct professor of computer science, said the level of security that UCLA currently employs in terms of multifactor authentication is inconvenient and potentially problematic.
“As a professional, I don’t enjoy it,” Reiher said. “It affects our access to grades, salaries, taxes, histories and medical information, which constantly requires access and authentication.”
Beyond the frequency of accessibility lies the quality of accessibility. Repeated logins on the same device add up to more than just a minor inconvenience over the course of a day – let alone a week or a year. Instead, allowing a trusted device that requires logins less frequently could eliminate some of the existing inconveniences the system causes.
The addition of trusted devices would be a welcome solution. This would maintain security across unfamiliar and personal devices alike, while minimizing the inconvenience on a trusted device.
Unfortunately for students, UCLA seems to have trust issues.
Reimagining the authentication process comes with certain challenges – one of which is finding a balance between security and convenience.
“The difference in security between using the (multifactor) system multiple times a day in comparison to once a week … is significant,” Reiher said.
For a university as big as UCLA with such an expansive digital network, a week may be too long a hiatus between logins.
Fortunately, a happy medium is still in the cards.
As of right now, the intervals between authentication are too short and overly inconvenient to be justified. But lengthening authentication periods is not the only way to approach increased accessibility.
“I wish there were also an email option to authenticate in case we lost our phones,” said Kaushik Donthi, a fourth-year neuroscience student. “Students should have more options to authenticate.”
This is indicative of a serious problem: The accessibility of a smartphone determines whether or not you can log in. If someone loses their phone or runs out of battery, they also lose critical access to their personal information. With time-sensitive issues like submitting transcripts or financial aid documents, students can’t afford to be shut out.
Jason Yang, a fourth-year microbiology, immunology and molecular genetics student, said that expanding on the flexibility of the system can make a bigger difference than the amount of time between verification.
“If my phone is out of battery, I can’t log into MyUCLA at all,” Yang said. “There are definitely ways this process can be improved.”
The financial burden of a smartphone and the accessibility of a data plan could bar some students from easily logging in. Adding options beyond the Duo app or a phone call would give students more freedom, which could alleviate some of the inconvenience caused by frequently required authentication.
Simply put, a phone shouldn’t be the barrier to accessing one’s private and personal information.
“We understand that security controls can add a level of inconvenience to our daily lives, and we strive to weigh that inconvenience against the risk of a compromise,” said UCLA IT Security representative in a statement.
But compared to other universities that have started to utilize multifactor authentication, UCLA falls into the overly stringent category. Other top universities in the country – including Harvard University, Stanford University and the Massachusetts Institute of Technology – use the concept of a trusted device, which can keep you logged in for longer than 24 hours. For instance, MIT students have the option to remember a device for 30 days – a far cry from the maximum of 24 hours that UCLA students are allowed. Other universities still have good security habits and make sure their information is safe without sacrificing the convenience and accessibility of students’ information.
It’s understandable that sometimes we have to compromise convenience for security. But UCLA has room to improve the system without undermining online protection.
There are plenty of ways, and reasons, to make a disgruntled face when accessing MyUCLA.
But there are also plenty of ways to fix it.
lol this is a stupid article you can just go to the bruin online desk and ask for an Authenticator keychain. There are plenty of problems with duo but you focused on the worst and most moot point