Unquestionably, the weakest link in the armour of information security is the human one. Poor security habits among university employees and students have resulted in data breaches and numerous compromised accounts on NC State’s campus.
To thwart the use of compromised credentials, in March 2017, NC State began an initiative to require the campus community to enroll in its mandatory two-factor authentication (2FA) solutions — Google 2-Step Verification and Duo Security. Employees were first to enroll in the simple two-step login processes that allowed secure login to many campus technology services and that protected their personal and university data assets against up to 98 percent of all phishing attacks.
Student Enrollment
Beginning last September, NC State required 2FA enrollment for more than 25,000 active undergraduate, graduate, distance education, and non-degree seeking students. About 14,000 active student accounts were already enrolled in 2FA; many were required to enroll in the employee 2FA enrollment project.
The Office of Information Technology (OIT) onboarded the last student cohorts into 2FA in spring 2021, bringing closure to the university’s mandatory student 2FA enrollment and the four-year 2FA initiative to build a line of cyber defense against the ever-increasing phishing attacks that target the campus community.
Currently 82,886 student and employee accounts are protected by 2FA, and OIT enrolls new students and employees in 2FA on an ongoing basis.
“The implementation of 2FA across the campus community has allowed everyone to breathe a little easier,” says Andrew Kotynski, 2FA project team co-lead and director of Information Security Services in the OIT Security and Compliance unit. “With 2FA enabled everywhere, it almost eliminates the possibility of hackers accessing your email, financial and personal information and gives peace of mind to those who are responsible for keeping your information safe.”
“2FA provides not only additional security, but has allowed us to educate our campus users further on risks to accounts that have only password protection and to encourage them to enable 2FA on other services,” says Sarah Noell, 2FA project team co-lead and associate director of Design, Education and Outreach in the OIT Outreach, Communications and Consulting unit.
“Since the end user is the weakest link, enforcing 2FA has given us one more tool for end users to protect themselves,” she said. Noell added that enrolled students and employees can also use the new self-service 2FA Bypass Tool to generate authentication or “bypass” codes for Duo and Google 2-Step in situations where their primary authentication method, such as a phone or U2F security key, is not available.