Nearly three weeks after the USC community was required to start using a multi-factor authentication system to log into USC systems, students are calling the login program unnecessary.
To log into USC systems, students and faculty must first log in with a username and password, then respond to a push notification, call or text message on their phone through an app called Duo Mobile to gain access.
Some students have been frustrated with being forced to use Duo multiple times per day to complete their Daily Trojan Check, schedule a COVID-19 test or access Blackboard.
“[Duo2FA] is very frustrating, and the repetition of it is very annoying,” said Megan Ortiz, a sophomore majoring in creative writing. “Actually, because of this thing, I’ve lost multiple assignments and had to redo them because it makes me resign-in.”
The use of Duo has been required for faculty, staff and student workers since 2020. The university decision to add students to the requirement went into effect Jan. 20 and was made in response to the pressing issue of ransomware incidents, said Chief Information Security Officer Gus Anagnos in an interview with Annenberg Media.
The two-factor precaution is part of USC’s four-year plan known as Secure USC, meant to strengthen USC’s information security practices.
Additionally, security concerns are rising after University of California security systems were targeted in a cyberattack last March. During the first quarter of 2021, schools accounted for nearly 10% of globally reported cyberattacks. Phishing emails are one of the main ways cyberattacks are attempted, in which a link is sent from an account that looks familiar to the targeted individual.
Two-factor authentication was implemented at USC in part to combat phishing emails, Anagnos said, which pose a large threat to USC staff, students, faculty and alumni.
“These phishing emails, that’s right down the front door,” Anagnos said. “And if you can shut down the front door, they have to find other ways.”
Although some students have complained about the frequency of the two-factor authentication, Anagnos said this should not be an issue.
“If they’re experiencing that, there’s something wrong because of the way the system has been set up and those students should come forward,” Anagnos said. “They shouldn’t have to authenticate more than a couple of times a year per device. So, if they’re being prompted to authenticate, often using the same device that they’ve already authenticated with, then there’s a problem.”
Anagnos said his office plans to look into this issue.
“I feel pretty strongly about [Duo2FA], because at this point, I’m required to log in to my USC probably upwards of 15 times a day for anything from a Trojan Check to Blackboard to myUSC to web registration,” said sophomore business major Kieran Thomas. “And for some reason, you can’t log in once and be good for the day.”
The new system adds a second layer of protection against cybersecurity attacks, Anagnos said, but some students don’t see the need for the precaution.
“I didn’t really see a threat or problem beforehand, or I never dealt with problems,” said Ashley Dukellis, a freshman business administration major. " I don’t see a use [for Duo2FA].”
Though students have faced challenges with two-factor authentication, Anagnos urged students to approach him.
“I ask the students to come forward if they’re having any challenges, if they fall into these categories because we can solve them for them,” Anagnos said. “It’s important also to note that my security team and my whole reason for being here at USC is to make your lives more secure and try to make your lives as easy as possible.”
Samuel Reno contributed to this report.