UMW IT department addresses professors’ frustrations with multi-factor authentication and enhanced security
4 min readby MADISON FRY
Staff Writer
This semester, several professors expressed complaints regarding the effectiveness and efficiency of the multi-factor authentication system that was recently implemented to better secure UMW accounts. According to some faculty members, the updated authentication system was unintentionally an inconvenient and unreliable way to log in to their university accounts.
After faculty and staff expressed frustrations with the authentication system, the University IT Department worked to create a fix that would benefit professors while still adhering to guidelines put forth by the Commonwealth. Faculty and staff can now choose between using multi-factor authentication or having a password over 14 characters and changing it every 90 days.
An email sent on Oct. 15 from Chief Information Officer Hall Cheshire communicated that multi-factor authentication would pause so that other options for enhanced security could be offered instead and integrated through password updates.
Most faculty, such as Professor of classics Angela Pitts, understand the importance of protecting their account security while still acknowledging the issues that resulted from using the multi-factor authentication system.
“Protecting the cybersecurity of UMW students, faculty, and staff is, of course, a serious challenge and an urgent priority. I take the cybersecurity of UMW systems very seriously,” said Pitts. “None of us wants a major breach of data, and cyberattacks involving malicious theft of data, sensitive information, and intellectual property are unfortunately becoming increasingly common.”
Despite their understanding, professors experienced difficulties with multi-factor authentication. Struggles with logging into Canvas, Banner and Outlook caused disruptions while teaching. Some professors, like Associate Professor of Spanish Antonia Delgado-Poust, did not like the multi-factor authentication as it required the use of their personal phone.
“To be completely honest, I was a little annoyed that we were expected to download an app on our personal phones just so that we could access Canvas during class time,” said Delgado-Poust.
Professors were inconvenienced by using their personal phones for a variety of reasons. Faculty mentioned storage problems, cell reception, workflow disruptions and overall inconsistencies in their login abilities.
“I, personally, found the frequent need to check my phone significantly disruptive to my workflow and sometimes disruptive in the classroom as I navigate between, say, Canvas and webpages and then back to Canvas in different segments of a lecture or class presentation,” said Pitts.
Surupa Gupta, professor of political science and international affairs, expressed her concerns about having to use a personal phone for multi-factor authentication as it causes issues when faculty members have to travel.
“I totally understand the need for the two-factor authentication login from a cybersecurity perspective. However, using our personal phones to do so seems problematic for many reasons,” Gupta said.
She continued, “Many of us in the UMW faculty travel internationally for work. I always turn off my U.S. phone while abroad. But if I am traveling to a conference during a semester, I am still responding to emails and on occasion, signing on to Canvas to do my work. I can’t sign on using a process that uses my U.S. cell phone number.”
Additionally, inadequate cell service furthered frustrations and disruptions while teaching, as professors were not receiving the codes needed to log into UMW services.
“Cell reception is sometimes not very good in older campus buildings, and some faculty have reported needing to leave their classrooms as they are logging in to Canvas to display material in the course management systems to their classes,” Pitts said.
The IT department acknowledged that the disruptions to the classroom were an oversight, and that further notice about the implementation should have been provided and more training and testing opportunities should have been offered. As a result of these issues, the university responded to concerns with a change that appears to have helped resolve this issue.
“The IT Department has been working to expand the use of MFA across all UMW systems, and that project could take 12 to 18 months to complete,” said Cheshire. “Until then, to meet Commonwealth requirements, UMW will change its minimum password length from 8 to 14 characters and expand the password change requirement from every 42 days to every 90 days.”
Many professors have opted to change their passwords frequently in hopes of avoiding any possible disruptions in the classroom that multi-factor authentication may cause.
“My own perspective is that if these challenges and disruptions while on campus may be averted by using the alternative best practice—a longer and more sophisticated password—then the alternative is highly favorable,” Pitts said.
“I will be changing my 14+ character password every 42 days. I am very grateful for the option,” said Delgado-Poust.
However, Professor of sociology Kristin Marsh was unsure if changing the password protection requirements would resolve the issues occurring with the multi-factor authentication.
“I don’t know—it actually depends on how often we have to log in; it will be disruptive in the classroom if one log-in doesn’t do it for the full day I’m on campus,” Marsh said.
The professors were content with the change in how their privacy and password can be protected and appreciated that the IT department was willing to listen to their concerns and create a suitable fix.
“I deeply appreciate the administration’s and the Chief Technical Officer’s willingness to pivot in a way that prevents some of the practical challenges of a two-factor authentication system for use of campus systems while on campus. The change, as I understand it, adheres to state guidelines and regulations and maintains best practice,” said Pitts.