Written by Ben Lane
The University is implementing a faculty and staff-wide multi-factor authentication (MFA) key for school account logins over the coming weeks to more safely secure personal data.
Multi-factor authentication, also known as two factor authentication, is the practice of requiring two pieces of evidence to prove identity. A common example of this practice is to send a pin number through text message or email to an individual that is required for login, along with the username and password.
The main push of implementing MFA at the University is to better ensure the safety of faculty and staff personal information, senior vice president Keith Cronk said.
“Harding has a lot of data about a lot of people,” assistant vice president Mike Chalenburg said. “It’s incumbent on us to protect that as well as we can.”
Security was not the only reason for MFA. Harding uses cybersecurity insurance policies, and, without MFA, premiums of those policies will increase significantly, Chalenburg wrote in an email to Harding employees. Cronk said he believes the University would have used the new login process regardless of if it saved money.
“It’s not like we were sitting here saying, ‘Premiums gone up, we better do it,’” Cronk said. “We were going to do it anyhow.”
Last week, employees were able to set up their MFA in the Information Systems and Technology (IS&T) office if employees chose to. IS&T began registering employees who did not opt-in last week for MFA on Sept. 27 by going to the different buildings on campus to individually register them. Employees may register themselves when an instruction sheet is completed and sent to them. Off-campus facilities are next to implement MFA after the main campus is complete.
Login is required each time a new browser tab is opened. However, employees may leave their browser open for one week without closing it, and they will stay logged in for seven days. With this policy, login and validation through MFA will be required fewer times if the browser remains open.
As of now, only Harding employees are required to use a MFA. Students may be required to use a MFA in the future, which could be a difficult task, Chalenburg said. One challenge to students using MFA is the testing lab, where phone use is not permitted, and students are required to login.
The implementation of MFA is not unique to Harding or in higher education. Other universities, such as Harvard and the University of Indiana, use MFA, and Cronk said he believes all universities will use a form of MFA eventually.
Harding has not been impervious to data hacking attempts. An unidentified student accidentally took part in a phishing scheme, Cronk said, where the student gave up their username and password. The University caught the mistake before personal data was stolen and found that with the data accessible from a username and password, the victim’s grandparents’ bank account information was accessible.
The incident sparked a board member’s inquiry into protecting students and employees from phishing schemes, and after. Cronk attended a conference in which a case study of two universities who use MFA was presented.
“There are plenty of hackers trying to get into universities and all kinds of sectors of business,” assistant professor Emmie Mercer said. “We’re not immune to that … I appreciate [MFA]. I truly do.”