USC limits two-factor authentication


USC Information Technology Services ceased Duo two-factor authentication for students beginning Feb. 24, excluding student workers. The security app, implemented in early January, provides additional protection for users by requiring sign-in via their USC NetID. (Simon Park | Daily Trojan file photo)

On Feb. 24, ITS withdrew two-factor authentication from Trojan Check and Blackboard for students, excluding student workers and employees taking classes.

Duo was implemented on Jan. 20 as a requirement for all students signing in through the NetID process. Duo offers three options when students log in: “Send Me a Push,” “Call Me” and “Enter a Passcode,” which verifies that the individual logging in has access to the mobile device linked to the account, increasing the likelihood that the correct user is signing on. The provision was found necessary by the University as a cybersecurity safeguard to defend private information against ransomware attacks.

Amid the Undergraduate Student Government elections in February, write-in ticket Safal Mengi and Kyle Valdes distinguished themselves through their three-week implementation plan for limiting the requirement of Duo two-factor authentication. The ticket wanted to expand the timeframe that a user’s login is remembered from eight hours to 24 hours and limit the Duo requirement to USC NetID Gmail sign-in. 

Ryan Christian, a sophomore majoring in business administration and a student worker at the Leventhal School of Accounting, said she agrees with the University’s decision to limit the Duo requirement, but retain it for student workers.

“When you’re a student worker, you have to deal with a lot more things first hand — especially school related,” Christian said. “[When] helping out professors and things like that, you can tell they really want things to be extremely secure so that information doesn’t get to the wrong people and isn’t miscommunicated to the student body.”

Mengi connected with Robert Lau, the chief information security architect at USC ITS, and examined the University’s cybersecurity insurance policy through a class he took with Zivia Wilson Sweeney, an associate professor of clinical accounting. Mengi, Valdes and Lau collaborated, which led to the formation and circulation of a petition that called for Duo’s limitation. 

“We successfully advocated for two-factor authentication to only take place when logging into Gmail,” said Mengi in a Feb. 18 interview with the Daily Trojan ahead of the USG election. “Our cybersecurity insurance actually requires us to have two-factor authentication, so I took a closer look at the contract and noticed that it said it was only for Gmail.”

Sweeney said that she strives to create a learning environment where issues important to students, such as eliminating Duo, are also important to her.

“I called [Lau] and had a really nice talk … He goes, ‘Look, you know, [the students] are our clients,’ which was so refreshing because I’ve worked with IT departments and sometimes they don’t view the end user as a client, but in this situation, [it’s] very professional.”

Mengi said the change would reduce foot traffic at Trojan Check campus entry points, as there would be less students holding up the line while trying to log into their Trojan Check app with Duo. Crowds of students waiting in line for Trojan Check, he said, increase risks related to the spread of the coronavirus.

Emery Ogah, a sophomore majoring in business administration and a student worker at the Leventhal School of Accounting, said he’d like to have a longer time period after completing two-factor authentication before he has to complete it again because he said the process is “tedious” for him.

“I find it very annoying … but I think it’s for protection,” Ogah said. “They should make it like if you signed in one time, you[‘re] good on all your devices, at least for today, because I’d be signed in three times in the span of 15 minutes.”

Christian said the adjustment to the two-factor authentication requirement offers a precaution to secure information while being convenient for students.

“It’s sometimes annoying to have to repeat the process of going through two-factor [authentication]. But, essentially, I like that it’s being limited to Gmail only,” Christian said. “I feel like it’s super nice to have your emails extremely secured and very protected in that way.” 

Sweeney said she is satisfied with the change her students’ petition brought about.

“I feel like I stood up for my students. I addressed something that was important for them, which is, I believe, a big part of my role as faculty member and I’m glad to know I played a small part in getting a big process changed,” Sweeney said.