More to Multi-factor Authentication Than Meets the Eye

Reported By: Anika Perry

Photographed By: Yolanda Diaz

With the recent decision by George Fox University (GFU) to require students to use multi-factor authentication (MFA), students are now required to enter an additional password or accept a notification sent by OktaVerify when signing on to school related sites like Canvas and MyGeorgeFox.

MFA is a layered approach to keeping data secure. Typically, MFA requires a separate password in addition to a password a user would typically use to sign on to a platform. Tim Goodfellow, the chief information officer for GFU’s Institutional Technology (IT) department, says GFU decided to require MFA for students because it is “best practices.” 

According to Goodfellow, MFA is the industry standard for protecting data. Another reason for the decision was compliance. The federal government will require MFA for institutions in June 2023. Since GFU is a recipient of federal funding such as Pell Grants and student loans, GFU decided to be ahead of schedule and implement MFA into their systems early.

With MFA, students have the option to receive their additional password via text message (SMS), phone call, or receive a push notification through the OktaVerify app. 

OktaVerify is a vendor of MFA that GFU purchased. According to Goodfellow, the university’s decision to choose OktaVerify specifically was because of their single sign-on; when you login into one application, it will log you into others. OktaVerify also made it easy to implement MFA for GFU accounts.

While MFA may be successful in protecting user data, it takes longer to sign on to sites because a user has to enter an additional password or accept a notification. 

Goodfellow stressed the importance of security over convenience, encouraging students to think of the bigger community. Goodfellow says a common tactic of cybercrime is to hack an account belonging to an institution, build trust with others within that institution through the hacked account, and then cause harm by sending phishing or spam emails.

Goodfellow stated it is also important to not underestimate what people can do with a student account. For example, GFU student accounts can be attached to bank accounts for direct deposits. If someone was able to hack a student's MyGeorgeFox or email account, they would have the ability to change which bank account paychecks were going to.

When a user tries to login to an account, OktaVerify sends a prompt to the user’s preferred communication channel like the OktaVerify app or phone number. So, even if a hacker knows a user’s username and password, they would be unable to access the account without the user’s permission through OktaVerify or the additional code sent to the user’s phone.

This layered approach helped against a recent phishing attempt on a GFU professor. Goodfellow explained that a hacker tried phishing a professor by asking them to review a document. The link to the document prompted the professor to enter their GFU username and password. Entering their username and password gave the hacker that professor’s GFU login credentials. 

Despite the hacker having a professor's login information, they were unable to gain access to the account because OktaVerify alerted the professor and the university about a suspicious login. Because of the additional security, the professor was able to tell OktaVerify that an unauthorized person was attempting to login to their account, and restrict access. 

While some students may dislike the university’s decision because it takes longer to login to university accounts, it has proven successful in protecting user data, like personal information and banking information. MFA protects the larger GFU community by providing additional security against phishing and hacking attempts.