USC implements student multi-factor identification

Jihoo Kim’s difficulties with the Duo two-factor authentication system come in the form of small inconveniences. Having to race from one room to another to verify the login on her phone while working on her computer presents a problem for both Kim and her roommate, the former, who has missed “so many classes” on Zoom because of the double authentication requirement. As cell phones aren’t allowed in some of her classes, Kim has found Duo, which operates exclusively on mobile phones, a “hassle.”

Beginning Jan. 20, students were required to use Duo to add extra protection into their USC systems that require the NetID sign-in process. While Kim, a junior majoring in international relations, understands the importance of security and keeping information safe, she is among many students who aren’t “huge fans” of Duo.

The prevalence of worldwide ransomware incidents has “regulators and insurers [sic] now requiring a type of added protection for email accounts,” according to Gus Anagnos, USC’s chief information security officer. A ransomware attack occurs when a hacker takes the system containing sensitive information hostage and demands a ransom in exchange for unlocking the system. The added protection through programs such as Duo, known as multi-factor authentication, helps raise the likelihood of the right person signing into that email account. 

“Think of it like an alarm code in addition to the key to your front door — to better prevent criminals from using your USC email to send malicious emails to other Trojan Community members, including those who have access to sensitive data and systems,” Anagnos wrote in a statement to the Daily Trojan. 

Nicolas Marquez, a freshman majoring in business administration, said he believes Duo is a safe alternative and is relatively effective and easy to use. But the process of Duo still bothers him. 
“It is annoying especially when you kind of just need to go into MyUSC or get something quick,” Marquez said. “Sometimes some of my friends don’t have Wi-Fi or their phone’s dead, so then they can’t even log on on their computer.”

While the change is recent for students, University staff members have used Duo for the past few years. For Jenn de la Fuente, an adjunct professor of public relations, Duo was bothersome at first but has since “melted into the background.”

“It’s something that people have to get used to,” de la Fuente said. “So much is tied to our USC ID that it’s almost a no-brainer to have an extra layer of security.”

According to Anagnos’ statement, the implementation of Duo aims to protect users’ sensitive information, including addresses, birthdates, social security numbers and medical records. 
When logging on, Duo offers three options as authentication past a username and password: “Send Me a Push,” “Call Me” and “Enter a Passcode.” According to the Duo guide, Duo recommends using the “Duo Push” feature, which can only be done through the Duo Mobile app. 

Carol Zhou, a sophomore majoring in public policy, recently discovered the Duo Mobile app but has only used the call and text options. Zhou said her issue with Duo is its “timing” as the app often loads slowly and takes a while to call her.

“Typing in the code takes a long time because it doesn’t auto enter,” Zhou said. “And when [Duo] calls me, I don’t want to disturb the people around me … I understand where it’s coming from, but it’s so inconvenient.”

Though viewed as inconvenient, MFA services like Duo can block up to 99.9% of account compromises, which are a very common entry point for ransomware attacks, Anagnos wrote. 

As someone who has been previously hacked, de la Fuente said she also uses two-factor authentication on her personal Gmail account for the extra layer of security it provides. She said she believes people need to be aware of internet security. 

“It’s a smart idea to implement in a lot of other things in our lives,” de la Fuente said. “We do so much via email. We have so much of our information online.”