All University students will be required to enroll by Feb. 14 in two-step verification as an added layer of security when accessing PennKey-protected websites and applications. Faculty and staff have already been required to enroll.
Two-step verification requires users to first log in to the Penn-related website and then verify their identity using an additional method. They can either receive a call or text to confirm the identity, obtain a code from the Duo Mobile app, use one-touch approval on the Duo Mobile app, or get a generated code from a registered key fob device.
Faculty across all schools met their Oct. 31 deadline to enroll in two-step verification, confirmed James Brewer, IT Director of Penn’s Identity and Access Management program. Staff members have been required to use two-step identification since November 2017, the Penn Almanac reported. Prior to the deadline, faculty and students could register for two-step online.
Two-step verification is “the current standard” for logins to sensitive sites, Brewer wrote in an emailed statement to The Daily Pennsylvanian, as it helps ensure the person logging in is the actual user.
“Passwords alone are far too easily cracked, stolen, purchased, or simply handed over by victims through phishing and other 'social engineering' attacks to provide reliable security,” he wrote.
Information Systems & Computing, Penn’s central IT organization, helped create the templates to support two-step verification at Penn. The actual enrollment of students and faculty, however, has been led by the individual schools, college housing, and student groups.
There have been concerted efforts to get faculty, staff, and students enrolled in this program.
Dental School Director of Information Technology Melissa Miller said her office placed promotional materials in common areas and sent emails about two-step to all dental students, faculty, and staff prior to the deadline. They also provided in-person support to help with enrollment, and successfully enrolled faculty and Dental students by Oct. 31.
Third-year Dental students Malika Jhawar and Catherine Dang, who heard about two-step verification through emails from the Dental School, said that two-step is easy to use but still adds time to the login process.
“It’s just like another step of logging on, so maybe it would be nice to figure out why we need it,” Jhawar said.
“It’s easy but it’s kind of inconvenient,” Dang added. “But if it’s necessary then I don’t mind using it.”
Miller said Dental students and faculty seemed “comfortable with the flexibility” of options for authentication and that logging in with two-step is “set up to be pretty straightforward.”
Engineering students received an email on Nov. 1 with information about two-step verification and instructions for registering, IT Senior Director Kris Varhus said. Similarly, Dan Alig, Chief Information Officer for Wharton Computing and Information Technology, said Wharton will include information about two-step verification in technology update emails typically sent at the beginning of the term.
ISC is also partnering with College House Computing to organize a competition between college houses to encourage as many students as possible to enroll before the deadline. College House Computing Director Dan Thomas said the contest is running from Oct. 15 to Nov. 16 and that the first houses to reach 50 percent and 90 percent enrollment will receive House Cup points and be entered in raffles. While no house has reached 50 percent, Thomas said that Stouffer and Gregory are currently in the lead.
Penn CASE, a consumer protection organization, has hosted several privacy-themed events and handed out information about two-step at different locations around campus, said Penn CASE President and College senior Ben Friedman.
Friedman said while people may initially have difficulty with two-step, “in the long run it really does so much for your privacy and security, it’s worth that small adjustment period. And once you get used to it, you don’t even notice it.”