UC Santa Barbara has adopted multi-factor authentication processes for students to sign into their school emails and Gauchospace pages as of this summer.
Alongside all other universities in the UC, UCSB adopted Duo Security as its Multi-Factor Authentication (MFA) provider. Duo provides an additional layer of security using push notifications to another registered device when logging into applicable websites.
“Duo was selected as UCSB’s MFA provider because they were both a market leader and used throughout the University of California locations,” Reyes said.
Efforts to utilize Duo for UCSB’s cybersecurity began in 2018 when the University of California adopted a new version of the BFB-IS-3 Electronic Information Security policy to address newer security threats, according to university spokesperson Kiki Reyes.
“This policy required identifying applications and data,” Reyes said in a statement to the Nexus. “Applications and data at the highest levels are now required by UC policy to rely on multi-factor authentication.”
Reyes noted that a lack of protection surrounding academic and financial data, along with the availability of UCSB email addresses, were some concerns the university noted when considering new avenues toward cybersecurity.
“Student academic and financial data are governed by federal privacy laws and have a high protection level,” Reyes said in the statement. “Similarly, email is critical to academic, research, and business processes and has a high availability level.”
Reyes said UCSB has followed “a pragmatic deployment of Duo” since 2018, focusing on administrative access to services and systems with applications and later expanding it to student use for websites like Student Health Patient Portal. UCPath started using Duo in 2020 on Jan. 25. Duo is also now being employed for Google workspaces and Gauchospace.
However, Duo has had troubleshooting issues recently, with users having trouble logging into sites that require Duo due to the app not loading on their device. The University speculates that this is a result of these users being connected to a local internet service provider, and Reyes said UCSB is currently collaborating with Duo to resolve this issue.
“While the number of affected users is relatively small, we recognize the impact of having only intermittent access to campus services,” Reyes said. “To mitigate that, we have temporarily disabled Duo for Gauchospace (including the new Canvas service) until the problem is resolved. UCSB Gold has not yet implemented Duo.”
Reyes said that the university suspects Duo will be a part of UCSB’s cybersecurity for the foreseeable future.
“Data theft and financial fraud due to compromised passwords are a real risk to all members of our campus community,” Reyes said. “Multi-factor authentication is currently the best way to mitigate those risks, and the University’s cyber-security experts expect Duo to be part of the information security strategy for the foreseeable future.”
Students at UCSB have mixed feelings about Duo, however, especially with the MFA provider now being expanded in use to other platforms like Gauchospace. For fourth-year sociology major Mattisen Pevehouse, Duo was useful until the university began requiring it for other websites.
“At first, I thought it was pretty helpful when it was just for student health, but then they started adding it to Gauchospace,” Pevehouse said. “It kind of made it hard because when I’m in class, if I’m logging into Gauchospace on my laptop, I have to wait to get a notification on my phone, and that was a whole thing because I had a class over the summer where [the professor] didn’t allow us to use our phones.”
Pevehouse said she understands the need for Duo on websites that require more security like Student Health, but she does not see the need for the application on other pages like Gauchospace.
Fourth-year political science and economics double major Daniel Chu had a similar sentiment, saying that only websites with more personal information need measures like Duo.
“I feel like when it’s financial aid or if people’s personal information is at risk, then yeah, totally,” Chu said. “Something like Gauchospace though, you don’t need to do security for all those applications.”
Pevehouse and Chu both voiced that although Duo should continue to be a part of UCSB’s cybersecurity for the foreseeable future, the university should scale back its usage to only websites that would require the extra security.
“I don’t see it going away anytime soon, but I would like to see it not for things like Gauchospace, where it’s really not necessary,” Chu said.
A version of this article appeared on p. 3 of the Sept. 29, 2022 print edition of the Daily Nexus.