Two-factor authentication program implemented to secure university accounts from cyber threats

Lehigh University is beginning to enroll students and staff in a new two-factor authentication program, called Duo, in order to secure students’ accounts by twice verifying their identities.

The  program is being used nationwide at universities to protect accounts from cyber threats.

Students are now not only required to enter their Lehigh username and password, but are also required to authenticate their identity in another form through a landline call, mobile or tablet push, or security key. 

“We are used to one-factor, which is when we have something that we know, like a password, to log into an account,” said Eric Zematis, Lehigh’s chief information security officer. 

Zematis explained two-factor authentication as the combination of something you know, a password, and something you have, confirming the login attempt from a tangible device like a phone or tablet. 

“Two-factor just says –– hey, in addition to something you know, we are going to have to have something you have as well, which is that second factor,” Zematis said.  

Lehigh’s Library and Technology Services is gradually enrolling students in Duo, an application that allows for the second factor to occur. Students are required to register when their Lehigh password expires every six months. 

Ava Florczak, ‘23, said while students and staff are not seeing what happens behind the scenes, some students see the two-factor authentication as “unnecessary.” 

“What we get to see on the backside of the counter of the service window is who is trying to access the services and how they are trying to get in,” said Colin Foley, information security architect. “We just constantly see everyday that there are people trying to get into accounts.”

While Duo is not bulletproof, it is effective in preventing perpetrators, Foley said. 

Students have been responding well to Duo, Zematis said. Though some students have voiced their frustration with the new two-factor authentication enrollment, he said it is extremely important in keeping students and staff accounts safe.

“I think overall people understand the need for it,”  Zematis said. “Sometimes people get frustrated if you forget your phone, if you left your phone in your dorm and you need to log in at the library or the computer lab. Obviously it could be a little frustrating and that is why we encourage people to try to set up multiple factors of authentication.”

In the case that a student or staff member is unable to log into their account, the Library and Technology Services help desk is able to assist in the login process. 

“If I am running late to get to one of my classes and the Zoom link is on Course Site, it takes a couple extra minutes to log onto class just because of the two-factor (authentication),” Florczak said. “It definitely makes me late to some things for sure.” 

Stacey Kimmel-Smith, assistant director of client services said Lehigh’s Library and Technology Services help desk has not seen Duo cause students many problems, but it may take them some time to get used to being prompted. 

 Kimmel-Smith said she has been pleasantly surprised at how well students seem to be adapting to Duo and it is good to have more than one way to provide the second factor. 

“Many more students are more entrenched in the cyber world and they have a cell phone that works well with Duo,” she said. “We haven’t heard as much from students as we did from staff, so it has been smooth in that sense.” 

Zematis said he understands that a new program can be frustrating, especially with a multitude of adjustments on campus due to COVID-19.

“I appreciate the students that are being patient with the process and understand that we are just trying to work to protect them and protect Lehigh,” he said.