If logging in to Academica didn’t take long enough to load, an extra step has been added, but will provide extra coverage.
Duo Push was implemented late last semester by Wayne State’s Computing and Information Technology department after an employee, like many students, fell victim to a phishing scam.
What do these look like? An email arrives in your inbox. It explains how you need to log on to your Academica account and change your billing and payment information on the university system. It seems real enough, so you do it. Your next paycheck goes to pre-paid debit cards registered in Nigeria.
Due to this, Duo Push, a two-factor authentication system was implemented.
“This is a result of fraud that happened in a spate of phishing attacks where hackers went in and compromised information from [university] employees,” said Kevin Hayes, director of information security at C&IT.
Many became aware of Duo Push the first day winter registration for classes was available. Current students who are also employees must use the authentication method to register for courses and those who are, were delayed until registering an account.
The smart phone application is now necessary for all employees to access WSU systems containing personal information.
The app is powered by an Ann Arbor-based company called Duo Security, said Hayes. He said WSU chose this company because they wanted to make an authentication process “as easy as possible.”
WSU ran and compiled numerous surveys to represent people’s habits in order to choose the appropriate system, he said.
“[Key fobs] can be used, but people don’t like carrying more things,” said Hayes. “But everyone has a smartphone.”
Whenever an employee wishes to access certain areas in WSU’s Academica or Banner systems, a code is sent to the employee’s phone. The system will not be accessible without this code.
Hayes said the two-factor authentication system was rolled out gradually in the university. C&IT gave presentations to university leadership and it had a “relatively well” public relations campaign, he said.
The requirement began with mangers and then kept growing to encompass more employees with every pay period since they have the most information to access.
“Approximately 9,000 people have now been enrolled,” he said.
Despite the slow implementation, some WSU employees felt ill-prepared to start using the authentication system.
“It appeared to be a scam or a phishing attempt, not an official thing,” said Ali Salamey, academic service officer in WSU’s Honors College.
He said the university lacked a rollout campaign for the employees, leaving many unanswered questions.
“Who is Duo, why do we need this and what does it protect?” Hayes said were some of his initial questions.
Hayes said the C&IT department is exploring opening the two-factor authentication system to all WSU students. However, he said it is difficult because the system is currently “all-or-nothing.”
Current students who are also employees must use the authentication method to register for courses.
WSU junior and Public Health student Antonio Mercatante said he does not think the authentication method is necessary.
“My account was hacked by a phishing scam,” he said. “I believe we just need to educate our staff and faculty on these issues.”
Hayes said he would personally love the option of a two-factor authentication system for all WSU students, but stressed “not necessary, but available.”
Hayes said he is a “big proponent of self-serving security.”