Who’s afraid of multifactor authentication?

Jody Greene

Well, I am, for one.

Or at least I was when I sat down a couple of weeks ago to “enroll” in the new campus-wide effort at greater electronic security called multifactor authentication (or MFA). I count myself among the cantankerous majority who shudder when the campus rolls out a new technological enhancement with which all of us will be required to comply. I’m not very good at seamlessly integrating new systems and platforms. I balk when I hear that some further barrier to the already not so smooth workings of my electronic life will be erected. I especially freak out when something is introduced that will potentially affect the already, for me, fragile functioning of classroom technologies such as Canvas quizzes and access to Google Slides. Basically, my entire response to upgrades like this can be summarized with a life-sized emoji of Edvard Munch’s The Scream.

A little background: as you have probably heard (even if, like me, you metaphorically put your hands over your ears or just hit delete when this kind of notice arrives in your inbox), over the next six months, by October, 2019, UCSC is transitioning to mandatory MFA for most campus online systems that require a Gold password. Right now, at least for faculty and students, this includes platforms like myUCSC and Canvas. Sometime in the summer, when Google also transitions to MFA, you can add your Drive, Docs, Calendar, Mail, Slides, Sheets, Chat, and Meet to the list.

That’s pretty much our entire selection of online instruction-related tools. And so, you might very well ask, WHY?

Also known as “two step authentication,” MFA is familiar to many of us from situations such as when we log into a bank account or other financial website using an unrecognized computer. The website sends a code to our cell phone that we must enter before proceeding with the transaction. MFA provides added security to prevent someone from using a stolen or hacked password to impersonate you.

Faculty are required to adopt MFA by May 20 and staff by July 29. Students will need to enroll between Sept. 3 and Oct. 21.

In university settings, MFA helps to keep student data, like grades, completed assignments, and contact information more secure. It also helps students protect their financial aid from theft. For faculty, it helps us keep our gradebooks, quizzes, exams, and instructional records--as well as a significant portion of our research output and personal information--safe from hackers and others who might want to access our data. The goal of MFA is to create a multilayered approach to personal identification that makes it difficult for any unauthorized person to gain access to our systems. This reduces the risk of fraudulent access to user information or UCSC resources, as well as materials related to classroom instruction and student academic records. Students using tiny devices to hack into faculty accounts and change grades: sound like fantasy? It isn’t. If that sounds too high tech, at least none of us is trusting enough to save our passwords on a browser, right? Right.

As far as classroom usage goes, faculty should be aware that students will need to use their MFA enrolled device (smartphone, tablet, or token) if they are going to connect to campus electronic systems like Canvas in the classroom. Enrolled devices will need to be handy if students are to connect to Canvas and other systems requiring a Gold password. Students (and faculty) who have not yet enrolled in MFA may be delayed in accessing campus information systems until they have completed the enrollment process. In addition, faculty who do not routinely allow the use of cellphones in class may need to allow phones to be out at the start of a quiz so that students can authenticate. Instructors should be aware of and assess the impact this may have on classroom instruction, groupwork exercises, or administration of exams.

Additional information on MFA in the classroom can be found online.

One piece of good news is that the campus has modified the original MFA plan in response to faculty and staff concerns. The ‘Remember Me’ feature is now available and allows you to only have to MFA once every 14 days on your computer. Instructors who want to conduct Canvas quizzes or other online assessments in class should remind students to “authenticate” prior to the in-class exam.

I’ll be honest: I didn’t find the enrollment process seamless, but in total it took me less than 15 minutes, and we’ve already established that I’m not gifted with the technical stuff. I enrolled my cellphone and tablet, and I also made sure to procure a token, which is a quasi-magical device you can use to authenticate when you are out of the country or in a place where cell connection is unreliable or non-existent. This is particularly important for faculty who routinely do research abroad or in remote locations. If you’re planning to head elsewhere to do research this summer, for instance, you’ll definitely want to take a token, since the Google changeover to MFA will happen at some point during the summer months. Faculty and other researchers should enroll before leaving town to avoid any … frustrations. These tokens are also a suitable solution for students who may not own a smartphone.

Just a few weeks later, I will grudgingly admit I’ve found the MFA process has become pretty much second nature, especially now that I can authenticate once on each device every two weeks. The primary time commitment is in the initial enrollment of your phone and tablet, and (should you need one) procuring a token. Hitting a little green “allow” checkmark on my phone twice a month is annoying, but not really that annoying. There, I said it.

For questions about classroom usage or other MFA concerns, please contact your ITS Divisional Liaison (DL) directly. You may also submit a support ticket with the ITS Support Center using the keyword MFA at https://itrequest.ucsc.edu, or by email help@ucsc.edu or telephone 459-HELP(4357). If you run into difficulties with MFA in classroom settings, please reach out directly to the Center for Innovations in Teaching and Learning (citl@ucsc.edu), so we can document (and try to solve) challenges faculty and students are facing with this new technology in the classroom.