Letter to the Editor: Is Two-Step Verification Scary?

Submitted on 30 October 2019

Letters do not necessarily reflect the views of the Quest or the Editorial Board.

If you’re reading this article, you’ve probably been enrolled in Duo Two-Step Authentication — by choice or not. The two-factor system was set up to protect your Reed Gmail, Drive, IRIS account, Moodle, and other accounts that require a Reed webpage login for all accounts starting the morning of October 29th. 

This has probably been a great source of confusion for a lot of students, faculty, and staff. The transition into a more secure network at Reed is a difficult, but important one. Reed College in the past has been targeted by many phishing attacks that put confidential information such as student records, college confidentials, and legally protected materials in danger of being compromised. So, even if your account doesn’t contain confidential information, the account can still be used to launch phishing attacks, where the hacker would compromise other people’s information or your information by impersonating you. 

However, with the two step authentication system, both your two factor device (your mobile device or hardware token) and your Kerberos username and password would have to be obtained to compromise the security of our campus network and the security of confidential information. 

In addition to the purpose of Duo, many community members have expressed frustration with using Two-Step. Currently we offer three ways to login through Duo. The first option is to get a push notification on a mobile device that has the Duo Mobile app. To use this option, you’ll link your device to your account through the duo login screen by clicking the button with three bars that says “Settings” on the top right corner of the screen, then clicking “Add a new device”. Then follow the instructions on the screen. If you need guidance with this we have a help page at https://www.reed.edu/cis/help/duo/, otherwise you get help at our CUS helpdesk in the ETC. 

The second option would be to use a one-time passcode. This would be a 6-digit passcode that is generated for that login attempt. These can be generated on the Duo Mobile app, by text on a mobile device or using a Hardware Token. Hardware Tokens are physical devices that generate these passcodes and you can acquire one free of charge from the CUS helpdesk. 

The third option would be to receive a call to login. Once you register a number (of a mobile device or landline), you can login by receiving a call and pressing any key on your keypad. Additionally, CUS recommends community members to set up a mobile device and a hardware token to prevent people from getting temporarily locked out of their account. Lastly, for Duo on trusted devices you only need to log in using these options once a month per device per browser if you check the box that says “Remember me for 30 days”; note that this requires your browser to allow cookies for this page. 

I hope this clears up any confusion on why we’re using Duo and how to use Two-Step on our network. We’re really excited to have this added security to our network, but we do understand this can be initially a confusing system. However, this is an essential switch and CUS is here to help you through whatever struggles come with operating your devices and using our network. If you need any help, don’t hesitate to visit the CUS helpdesk at the ETC or contact us at (503) 777-7525 or cus@reed.edu. We also have a FAQ for Duo at https://www.reed.edu/cis/help/duo/faq.html.