By now, everyone logging into the Nest, Canvas and Google Workspace on the sju.edu domain knows that it takes a step beyond the old and familiar username and password procedure. The Office of Information Technology (OIT) implemented Azure Multi-Factor Authentication (MFA) for all St. Joe’s onlines services this summer.
Some faculty and staff had already been using MFA for several years, but the decision to implement MFA across the entirety of the university was impacted by an effort to increase cyber security, said Francis DiSanti ’79, vice president and chief information officer.
“The choice around those was weighed heavily on the sensitivity of the data and the nature of the data,” DiSanti said.
MFA is an online security mechanism that requires an extra credential beside a user’s password. In addition to protecting data, MFA also serves as a defense.
Cyber attacks against colleges and universities have been rising in recent years, with a large surge happening in 2021. According to Microsoft Security Intelligence, just over 80% of cyber attacks tracked from Aug. 20 to Sept. 19 targeted the education industry, totaling 7,214,155 attacks. Distanti said St. Joe’s experiences probing attacks daily.
“They are constantly probing accounts, trying to guess passwords, and in some cases, they have a compromised account, and they are trying to take full advantage of it,” DiSanti said.
Because St. Joe’s offers financial aid, the university’s cyber security measures are audited frequently to comply with government regulations such as those outlined by the Federal Trade Council (FTC) and the Gramm-Leach-Bliley Act (GLBA), according to Philip Ichinaga, chief information security officer.
“We have financial audits, financial aid audits, insurance requirements, etcetera, and they require, at this point, multi-factor authentication,” Ichinaga said.
MFA increases protection for online accounts because it requires users to do several things, said Wei Chang, Ph.D, assistant professor and chair of the computer science department. Users log in with biometric scanners, such as a fingerprint, or something they know, such as the answer to a security question, or something they have, such as a mobile device.
“Maybe you’ll have one password for SJU, the same password for your bank account, [and] for an online shopping site,” Chang said. “Once hackers get this password from somewhere, that hacker can use the same password to try different websites. So then this causes a security problem.”
Even if a hacker has a user’s password, two factor authentication will prevent them from logging into a St. Joe’s account or, for example, a user’s bank account, in large part because the hacker will not have the user’s phone, Chang said.
Two factor authentication means one extra credential besides a user’s password is required to sign into online services. Two-factor, or MFA, works using the Microsoft Authenticator app or text messaging as the second credential to sign into accounts.
St. Joe’s does allow users to use YubiKey, a USB-based device, as an alternative to using a phone. Manufactured by Yubico, the YubiKey plugs into a device to provide the second factor of authentication instead of a phone. Some newer versions of YubiKey offer near field communication (NFC), which means that holding the YubiKey against a computer or phone will verify an identity.
“It’s going to be compatible with lots of services outside of St. Joe’s,” Ichinaga said. “It will be helpful for St. Joe’s of course, but you’ll be able to use it anywhere else it’s supported. And, it’s your own, so the university doesn’t control it. It’s private, we don’t have access to it. It literally is yours and yours only.”
YubiKeys are available for purchase online from Yubico.com or Amazon.
For students studying abroad, Ichinaga recommends using the Microsoft Authenticator app, which runs on a wireless connection instead of a cell phone number.
“The Microsoft Authenticator application will work on that same wireless network if they bring their phone for example, but don’t activate it,” Ichinaga said. “They can still use it wirelessly with the same internet connection they would fill a laptop while they’re abroad, and it will still work.”
The extra steps are taking some getting used to for some users, like Emily Cecchine ’25 who is not fond of the new two-step verification process.
“It just adds on that extra minute,” Cecchine said. “And sometimes when you’re trying to use Canvas in class really quickly, it’s a little bit annoying.”
But the added layer of security does bring some more peace of mind, said John Schiele ’23, a computer science major.
“The Nest obviously has a lot of personal information for all students,” Schiele said. “They can go through class schedules, registration, tuition, financial aid. So it’s nice to have all that a little bit more secure.”
Schiele said he also understands that many students might find the new two-step verification process an annoyance, but added security is worth it.
“For me it’s putting a thumbprint in, and then I’m good to go usually. I think it’s worth it,” Schiele said.
Aodhan Simspon ’23 contributed to this story.