ILR School Moves All Faculty to Two-Step Login
Related services: Two-Step Login
In August 2017, all nonacademic staff at Cornell University were required to start using Two-Step Login with CUWebLogin. Two-Step Login is a CIT service that makes it difficult for criminals to use stolen Cornell passwords by requiring something they don’t have. Put your Cornell NetID and password into any site that requires CUWebLogin, and Two-Step Login requires a second step: using a device in your possession to confirm your identity. This can be responding to a notification sent to a smartphone app, accepting an automated phone call, entering a passcode, or pressing a button on a USB device.
For the ILR School, the transition to requiring all staff to use Two-Step Login went so smoothly that Jeff Bishop, Director of ILR Technology Services, appealed to Joe Grasso, Associate Dean of Finance, Administration, and Corporate Relations, to expand the service to faculty. Bishop discovered that many faculty felt they were already “using Duo” (the cloud service behind Two-Step Login) but didn’t understand that there was also an “expanded use” option. He was invited to speak at a faculty meeting in early September, and gave a presentation on the risk of having your password compromised through phishing and how Two-Step Login can help improve cybersecurity.
“The faculty responded well to the presentation and question and answer period afterward. Within a week, we had a 75 percent voluntary adoption rate,” said Bishop. As of October 3, all ILR employees are required to use Two-Step Login wherever available. They are the first college at Cornell to do so.
“The response has been positive,” said Grasso. “ILR Technology Services staff helped faculty set up Two-Step Login on their computers and other devices; they’ve taken a very proactive approach to making sure people understand how easy it is to use.”
Bishop added, “Faculty do not want to be burdened by IT security measures, but they want to protect their personal identity and keep their data safe. Requiring Two-Step Login has helped reduce risk with a tolerable amount of friction.”
The next logical step, according to Bishop, was to require Two-Step Login when connecting remotely to the ILR departmental VPN. That change was rolled out on November 8.
Faculty in other colleges are not required to use Two-Step Login with CUWebLogin, but they can choose to expand their use.
As a whole, Cornell University is subject to about 200 separate phishing attempts per week, targeting thousands of individuals. Last January, criminals gained access to about 270 employee passwords, using them to log in to Workday, redirect employees' paychecks, and file fraudulent tax returns. Phishing attempts are getting more and more sophisticated, as the cybercriminal business is a multibillion-dollar industry.
Learn more about Two-Step Login.