Students who enrol at Ryerson next fall and onwards will be required to use two-factor authentication when signing into their university email accounts.
The university’s cybersecurity team wants all Ryerson email users to sign in by entering their password and an authenticator code by 2022.
That means all students will have to refer to a code on an authenticator app linked to their email or buy a U2F key to insert into their computer to complete the second security step.
Ryerson’s chief information officer said it’s time to make the extra security login measure mandatory since the university is facing an increasing number of security threats as the tools hackers use become more advanced.
Brian Lesser said the university had to lock 22 student accounts last week because hackers accessed their accounts and made their passwords publicly accessible on online databases. “This week we locked another eight accounts for the same reasons,” he said.
According to Statistics Canada, universities reported one of the highest levels of cybersecurity incidents of all Canadian businesseswho experienced attacks in 2017. About 46 per cent of universities reported attacks against them – second only to the banking sector, where 47 per cent of institutions reported experiencing cybersecurity incidents.
“Email accounts are great targets,” Lesser said. “If I can get hold of a lot of email accounts, I can send out spam for free.”
Listen to Lesser talk about Ryerson’s plan to stop hackers from taking over university email accounts
Email accounts are valuable since they contain personal work and banking information, he said. Since they are often linked to other accounts, hackers who compromise them can also access personal accounts like an Amazon profile, which they can use to purchase items, redirecting the receiving address, Lesser added.
“Nothing is bulletproof, but two-factor really raises the bar. So if there was one thing you could do to protect your accounts, using two-factor just changes things dramatically.”
Last week, Lesser wrote in a tweet that 12,880 people at Ryerson have two-factor authentication set up. Twenty-two percent of those users are students, who have taken the extra precaution voluntarily.
Ryerson staff members are already required to use the additional security measure when signing in.
While Lesser champions the move to make two-factor authentication a university-wide procedure, not everyone thinks it’s necessary.
“I’ve yet to hear any stories of students crying because their my.ryerson account got hacked,” said Jan Jedrasik, president of the Computer Science Course Union.
Jedrasik said he had to start using two-factor authentication at Ryerson when he became a teaching assistant. He said it’s frustrating when he needs to log into his account but his phone’s dead since he uses the app.
“And if you switch phones, switching the authenticator over is another tooth-pulling process.”
Students who don’t have smartphones will have to buy a U2F key online or from an electronics store. They are small – about the size of a thumb drive – and easy to lose, Jedrasik said.
The computer science student said there’s a lot of fear-mongering about hackers stealing personal information. He said the best form of protection is a strong password that includes letters and symbols for every individual account.
Listen to Jedrasik talk about building a strong password
“You’re going to have a lot of students who are going to screw up on two-factor authentication. They’re not going to be able to get into Ryerson accounts. It’s going to be a whole slew of problems in and of itself,” Jedrasik said.
Ryerson has been implementing two-factor authentication gradually. That strategy, according to Lesser, was employed “so it wasn’t a nightmare for people.”
When completing the two-factor authentication step, there is an option to trust the browser on the device you are logging in to for the next 30 days.
Being unfamiliar for many, he said he knows it’ll be a support challenge for students in the fall. “We’ll do our best at helping everybody through this.”
Google requires its more than 90,000 employees to use two-factor authentication with U2F keys. Since implementing the cybersecurity measure, the company hasn’t reported any account takeovers.
Lesser said the hope is that Ryerson sees similar results when they roll out the mandatory measure for new students in the fall.
“I’d like to get to the point where we’re not locking student accounts, a student doesn’t wake up and discover they can’t submit an assignment or get on our wireless because we’ve had to lock their account or somebody else has hijacked their account.”
— with files from Melissa Bennardo
A previous version of this story had a headline that stated the new security measure will be implemented in September. The Ryersonian regrets this error.