NYU Students Have Had Enough Of Multi-Factor Authentication
Does MFA have a purpose other than being incredibly annoying?
Since the end of the spring 2017 semester, the NYU administration has been hinting at the implementation of multi-factor authentication (MFA) for all students, faculty and staff. And during the past few weeks, the University has made good on their promise, as now all members of the NYU community are required to enroll in MFA.
According to an email from the NYU IT Service Desk sent to students and staff in late July, MFA is “a security tool that asks for a secondary confirmation of your identity when you log in, using a physical device in your possession.” The NYU MFA webpage claims that it adds “a second layer of security to help prevent anyone other than you from accessing your sensitive information online” through two types of authentication.
While MFA has quickly become an industry standard, an article written by Russell Brandom for the Verve in late July explains that “most two-factor systems don’t stand up against sophisticated users,” i.e., hackers. Brandom cites recently published documents showing Russian hacking groups targeting U.S. election officials “had a ready-made plan for accounts with two-factor, harvesting confirmation codes using the same methods they used to grab passwords.” He concludes that MFA isn’t a “silver bullet” for cyber security attacks. “Adding an authentication code hardens the login page,” Brandom explains, “but smart attackers will just find another angle of approach.”
So why has the University chosen MFA as a viable security measure, and made participation mandatory for anyone who wants to check Albert or access their homework on NYU Classes? Student workers have been required to opt in to MFA since the summer if they want to clock their hours and access paychecks; following NYU’s calendar for implementation, the rest of the student body was required to enroll in the past few weeks, during the peak of finals season.
The outcry against MFA has recently gained momentum; a post on NYU Secrets asking “can someone please explain what purpose NYU’s multi factor authentication is supposed to serve?” has garnered more than 150 likes (and a fair share of debate in the comments), while NYU student Masoumeh Mk even started a petition against it. According to her petition, MFA “hinders many by a) assuming every student is able to own and reach a second device, b) taking up time by being a lengthy process and c) tracking the different devices students hold ownership of (which seems Big Brother-esque to me).” (Mk was not available for further comment).
Supporters of Mk’s petition list various reasons for their frustration with MFA; Ian Edelman wonders “what if your phone dies or breaks?” and Ali Webb thinks “waiting for authentication slows down the log-in process and wastes valuable time both in and out of class.” Emma Indelicato writes, “if a student feels the need to have extra cyber security, it should be their own choice. This mandatory process by the university is presumptive and many students view it as an unnecessary hassle.”
One of the biggest critiques of MFA has been the assumption that all NYU students have a working, up-to-date smartphone, a necessary aspect of enrolling in MFA. According to previous IT email, the University “highly recommends” students use a “personal or business smartphone or tablet with the Duo app installed” for their secondary confirmation of identity; the MFA webpage states that a smartphone is the “device that is most convenient” for multi-factor authentication. There is an option available for students to use a landline, but the same email reveals that this will “incur charges,” thereby making an already economically disadvantaged student pay to access necessary services like Albert or myTime.
For Gallatin junior Kat Facchini, a supporter of Mk’s petition, this is one of the biggest problems with MFA. “I would like to know what steps they think a student should take when they have an unreliable device, or if they would like to pay to fix those devices, since they’re essentially making it necessary to have them,” Facchini said, echoing previous concerns of a broken or missing second device. “I understand the perception that having a smartphone is very common, but the students that do not have them or have unreliable smartphones are already probably facing hardship due to economic insecurity and have to deal with that in the NYU community on a daily basis.”
Like many other students, Facchini takes issue with the timing of MFA enrollment. “The deadlines for signing up were poorly placed, especially the most recent deadline being this past week, when many students are gearing up for finals.” In general, she feels that “MFA has been poorly implemented at NYU,” a sentiment that seems to be increasingly popular. A spokesperson for NYU had not responded to requests for comment at the time of this article.
While MFA is, time-consuming and frustrating for many, Facchini and other students have drawn attention to more serious problems surrounding the implementation and enrollment. “I think that the administration needs to take the needs of students seriously,” Facchini says. “And think about how they could better secure the NYU online network without it being at the expense of the students.”