Multi-Factor Authentication (MFA) at CSULB
A CSU campus suffered a ransomware attack in 2020. As a preventative measure to cyberattacks, the Chancellor’s Office urged all CSU campuses to implement Multi-Factor Authentication (MFA), also known as two-step verification, for all students and employees. Approximately 1,000 CSULB employees with access to sensitive CFS information or that manage information systems and services were the very first users of MFA. The use of MFA was expanded to all students on January 27, 2021 and to the rest of employees (including student assistants and volunteers) on February 24, 2021.
What is Multi-Factor Authentication?
MFA is a security layer that makes it more difficult for hackers to gain access and control of computing accounts, devices, and online information. MFA functions as a technology to help protect computing resources and organizations from potential compromise by requiring the use of more than just a username and password. MFA verifies your identity through a two-step process before granting you access to the associated online application(s). You may already be using MFA to protect access to online services such as your banking, credit card, Gmail or Facebook accounts. The two verification methods that are usually required to prove your identity are information you know(almost always your username and password) AND a unique item you have (typically your cell phone).
Why Implement MFA?
MFA does not stop all types of attacks, and it does not guarantee security, but it does add an additional level of authentication that reduces the risk of technology and data compromises by making cyberattacks more difficult.
MFA can help a University community:
- Deter unauthorized access to student, faculty, and staff computing devices, accounts, and other online resources by requiring secure, real-time login verification from end-users
- Reduce incidents of compromised accounts whereby online criminals use stolen credentials from student, faculty, and staff to launch cyber-attacks from University systems and steal sensitive and confidential information—and potentially money—from campus community members
- Improve protection for campus computing systems and sensitive data--even if a student or employee password has been compromised
Computing account disruptions, data breaches, and device compromises are widespread in today’s ever-connected world of remote work and instruction. Campus community members who rely on a university’s technology infrastructures are vulnerable to these threats. For example, it can be a challenge to recognize the difference between a legitimate login screen and one that’s set up as a phishing scheme to capture your username and password for use in fraudulent schemes or other criminal activity.
With the protection of MFA, if someone guesses your password or deceives you into providing it by posing as a legitimate source, an attacker will still have an additional barrier preventing their access to your account and data. Only the user of a registered trusted device can lift the MFA barrier, making the technology a preferred security method for CSU campuses and the Chancellor’s Office.
How Does It Work?
With MFA, you provide an additional verification method to prove you have access to a trusted device. When logging into the campus’ online resources, you will be required to enter your username and password as usual. Then, you need to prove that you have access to a trusted device/phone that you previously registered. Only after completing the additional verification step using your trusted device will you be granted access.
Roadmap and Timeline of MFA at CSULB
- Summer 2017: Duo MFA for Information Technology system administrator staff
- March 2019: Duo MFA for Administrative Finance system service users (CFS)
- January 27, 2021: Microsoft MFA for all students upon accessing University-provided Microsoft services (i.e., email, OneDrive, Teams, and all Office 365 Apps)
- February 17, 2021: Microsoft MFA for Administrative Human Resources and Student Administration system service users
- February 24, 2021: Microsoft MFA for all employees (including student assistants and volunteers) upon accessing University-provided Microsoft services (i.e., email, OneDrive, Teams, and all Office 365 Apps)
- February/March 2021: Microsoft MFA for Student Administration system service users
- Feburary/March 2021: MFA for Student Center (MyCSULB) student access
- June 1, 2021: Implemented MFA upon Single Sign-On login to protect more campus services
- October 25, 2021: Implemented MFA for accessing the campus Virtual Private Network (VPN)