Rutgers increases cybersecurity with 2-factor authentication system
Rutgers is taking measures to increase cybersecurity by launching a two-factor authentication procedure, an added feature for logging into email or other digital services.
Two-factor authentication services are a two-component method to ensure that only the owner of a digital service, like an email address, can access it. The first component is a password: The user types in their password like they normally would.
The second component requires the user to have a device that will verify their identity, such as a smartphone. The user receives a text with the passcode, which they then type into the account to verify their identity.
With security breaches and password leaks becoming more frequent, many internet services and companies have begun to roll out two-factor authentication (2FA).
Rutgers will now use two factors with the introduction of NetID+. One of the factors, the NetID password, is something "the user knows," while the other involves something "the user has," according to the Office of Information Technology’s website.
For NetID+, the item "the user has" can be a smartphone app, SMS messages, phone call or hardware token. The OIT website recommends using the mobile application from Duo Security to help protect user information.
The mobile app provides two methods of confirming your identity, a login request and a generated code.
When using the login request, Duo sends a request to the smartphone app that requires user approval. The generated code works similarly to other two-factor services, where a unique identifier produces a six-digit code every 30 seconds to be used as a second passcode.
For users without a smartphone, Duo also allows the six-digit code to be sent through text messages or produced through a physical hardware token. Duo can also call the user’s phone to confirm the user’s identity.
These methods cost the University additional fees and as such are not recommended, according to the OIT website.
Using two factors instead of one adds a second layer of protection that can not be easily obtained by a would-be hacker. Even if a NetID password is given away in a phishing attack or leak, the second factor would remain only in the hands of the user and prevent access to online services.
The OIT website recommends using a smartphone, but if a user does not have a compatible device, a request can be put in for a hardware token through the Rutgers Software Portal.
The website also recommends that users enroll more than one device as a second factor to prevent user lockouts in case their smartphone is lost or stolen.
If all other methods fail, the user can contact the Rutgers Help Desk, who can provide a temporary bypass code.
All employees that submit expense reimbursement requests or create procurement shopping carts will be required to enroll in NetID+, due to the nature of their work and the access they have, said Frank Reda, the Director of the University’s Office of Information Technology, via email.
OIT chose to utilize Duo Security to run two-factor authentication because it supports many different devices and options to be used as a second factor, as well as the fact that many other Big Ten schools utilize Duo, Reda said.
There are currently 603 users registered in NetID+, but the rollout will continue until the end of September. The users currently registered only represent a fraction of those required to do so, Reda said.
At the moment, only active Rutgers employees, student workers and Rutgers guests are able to use NetID+, he said. It will be rolled out in phases to other roles.
OIT would use a vocal information campaign to encourage faculty and staff members to sign up by explaining how easy it is to use 2FA and what the benefits are, said Michele Norin, senior vice president and Chief Information Officer at Rutgers.
"We need to do that marketing piece and then we’ll figure out when it might be an appropriate time, if it would be an appropriate time to make it mandatory," she said. "There are some parts of our portfolio where we’ll push a little bit harder to make it mandatory, like around our administration services."
The service will not be mandatory for the time being, she said.
Expansion of NetID+ is in OIT’s broader plans, but there is no specific timetable for it to be rolled out, Reda said.
There are several factors to consider before OIT can roll 2FA out to students, including the fact that most students are only at Rutgers for a few years before graduating and leaving the school, Norin said.
"It’s a much bigger population so we need to be ready with the help side of that service, and we need to work with the community," she said. "We need to look at how that works and how would we manage it effectively so it’s a smooth experience for students."
In order to enroll in NetID+, users should visit netid.rutgers.edu and select “Manage NetID+” in the left navigational menu.
"I think from a conceptual perspective (2FA is) becoming a standard in the industry. I think it’s a good practice," Norin said. "I think it would work, I think it protects our environment a little bit better."
For more information, users can visit the NetID+ website, also contains technical information, tutorial videos and FAQs.
Michael Makmur is a School of Arts and Sciences junior majoring in astrophysics. He is a staff writer for The Daily Targum. Follow him on Twitter @MikeMakmur for more.