UCLA experts said while multifactor authentication may protect users’ personal information, requiring them to authenticate frequently is redundant.
All UCLA students are required to use multifactor authentication to log in to their MyUCLA account starting April 17. Multifactor authentication is a security enhancement system that requires users to provide two methods of identification when logging in to UCLA websites, such as through the mobile application Duo with a text message or a phone call.
Administrative Vice Chancellor Michael Beck said in an interview with the Daily Bruin Editorial Board on Monday multifactor authentication is necessary because there are many attacks on campus information technology infrastructure on a daily basis. He added students’ personal information has been compromised in the past.
Jens Palsberg, a computer science professor, said even though he agreed multifactor authentication would make UCLA’s online environment safer, he thinks Duo makes the MyUCLA login process inconvenient, because users need to authenticate frequently.
The app requires each person to authenticate every few hours, which is a trade-off between redundancy and safety, Palsberg said.
“We can get the safety we need by authenticating every few weeks,” he said. “UCLA has increased the hassle way too far with the current setting of the multifactor authentication.”
Carey Nachenberg, a computer science department adjunct professor and chief scientist at Chronicle, a cybersecurity company, said this problem could be solved if the app were to allow a setting that only requires authentication when it detects unusual account activities, such as logging in through unfamiliar devices.
Cybersecurity breaches in the past 10 years have shown that password authentication by itself does not sufficiently protect an account from being hacked, said Peter Reiher, an adjunct professor in the computer science department.
Reiher said cybercriminals may illegally hack into an account by guessing simple password patterns. Successfully acquiring the password of one account would also jeopardize the user’s other accounts if they share the same password.
Since companies typically keep information, such as a list of passwords, in a file, it is also possible to gain unauthorized access to accounts by accessing that file, Reiher said. He added it is possible for companies such as Yahoo to lose thousands of passwords if they lose the data file.
“UCLA is a little late to (introduce multifactor authentication), but I’m glad that we caught up,” he said.
Reiher said users at UCLA cannot log in to their accounts when their mobile devices run out of battery or do not have access to the internet. However, he said this can be solved by having a backup multifactor authentication device, such as a landline.
Students who do not own a cell phone or misplace their phone can receive temporary tokens from Bruin OnLine that they can plug in to any computer when logging in to UCLA websites. Nachenberg said some multifactor authentication services, including Duo, also provide codes that can be typed in without internet connection.
Sacrificing personal convenience to implement multifactor authentication not only protects students’ personal information but also protects the UCLA community as a whole, Reiher said, because illegal access into one student’s account may allow cybercriminals to access other accounts in the UCLA system.
“The trade-off is not only between individual account security and convenience,” he said. “(Multifactor authentication) benefits the online security of the whole community.”