Tuesday, Feb. 6, 2018 was the day that everything changed for the students at the Embry Riddle Daytona Beach Campus. No longer could students log onto their ERNIE web portal easily, now it requires a personal mobile device to approve the login. This issue has caused widespread frustration and controversy through both the student body and the faculty and staff on campus, as they too are not immune to this new level of security. In fact, one morning this past week while sitting in class, a professor stood up front stating that he needed a student to log on to the computer because he had forgotten his phone and could not log into his account to start the lecture. This example alone shows that two-step activation is a nuisance and is already impeding professors’ abilities to teach their courses.
Two-step security is, in general, a good thing when it comes to cyber-security. It ties another physical device to an account to ensure that the person logging in is also in physical possession of the device linked to the ERNIE that the individual is trying to log onto at the time. Two-step has been very useful for securing other accounts most students have on campus, such as Steam and Google. The key is that neither of these companies abuses the two-step system and only uses it as extra assurance of protection, and not as an annoying crutch. Never before has such an offensive two-step verification system been used to such an extent. If someone were to log into Google from an unknown computer, Google would send them a message on their phone asking if they initiated the sign-in attempt. The person can say “yes it was [them],” or if they do not recognize the location, they can change their password and lockout that location. Steam also uses their app to secure users accounts by asking for a code that is continuously displayed and refreshed in the Steam app. Steam only prompts for an identification number if you are logging onto a device that the user’s Steam account does not recognize. Microsoft also uses two-step verification, and their system seems to be the most unobtrusive and useful. It sends you a text message with a code only if you reset your password, which helps protect against a person with malicious intent who tries to hijack an account. In fact, Embry-Riddle already uses this system as students have received a text-based code for resting their ERNIE password in the past.
The system that currently has a stranglehold over ERNIE is not only annoying, but it also demands too much from the user. The fact that all of a sudden the IT department requires ERAU personnel to download an app from Duo to log into their accounts for school is just insulting. ERNIE is already a mess, has a terrible user interface, and is slow and unresponsive; now, however, people are forced to take up memory space on the devices that they pay for, just for another system that continues to slow down the possibility of being productive. The method initiated by ERAU’s IT is terrible for students with a phone, but it is an even bigger hassle for the students that do not have a smartphone or any phone at all. There are students on campus that do not have smartphones, and instead of push notifications through the Duo app, they are forced to receive a call every time they want to log in to ERNIE. Students that do not have cell phones are forced to enter a landline number, and if they live on campus, they might not have that either. The IT department instead gives these students a physical key fob that they can not lose if they even want to have access to their classes. This hassle means there are students here that can no longer log into their ERNIE accounts, and because of how much students do through CANVAS and ERNIE in the classroom, this could cost them their grades.
The worst part about this system is that it is not only obstructive, annoying, and intrusive; it does not even come as close to securing accounts as it claims to do. The students here are just human, meaning that they forget their phones at home, or even lose them. These occurrences would allow for people who find lost phones to have access to the owner’s account. In fact, most people have the Canvas app, which bypasses Ernie entirely and lets them see their grades and turn in work. ERAU is a high-tech school full of highly skilled coders and hackers. Through ways that will not be explained in detail to prevent giving anyone ideas, all the students’ login information and phone numbers are readily retrievable from the Embry-Riddle IT servers, and these servers are not precisely Fort-Knox. No one could imagine the Duo servers being the most secure either especially after witnessing far more critical information having been extracted from far larger corporations. Even on personal computers, it gives people the option to remember them for a week, thus allowing anyone who has access to those the ability to log in without two-step verification. Get in once, and anyone can change the phone number from the rightful owner to theirs, giving themselves full access to someone’s account.
The key to this entire issue is precisely what people are trying to protect. This problem isn’t about grades or test answers, but it is about money. Through ERNIE, a student can access the Student Center, which is an entirely different piece of software that lets students access their finical aid and accounts. This information is, of course, the root of the entire issue: there are large sums of money being transferred here so students can pay their tuition, flight training, and even reload their dining dollars. What continues to perplex people is why IT didn’t just use two-step verification for this process and spare students and faculty the trouble. It would have been much better for the entire campus if IT gave students and faculty the option to use two-factor authentication, instead of just mandating it in the middle of the semester. Upon first seeing the emails about two-factor most students initially assumed it was optional, and didn’t sign up thinking they could just opt-out of it. The majority of students were however rudely awakened to find themselves locked out of their accounts. A two-factor authentication process is a tool, and it should not be an integral part of a university’s student portal. People can only hope that the IT Department at Embry-Riddle takes the time to think about this and could roll back their decision on two-factor authentication. Two-step is utterly unnecessary for typical day to day logins for students and faculty, and IT should target issues at their sources, not punish everybody for their mistakes. This is just another sign of how-out-of-touch the technology departments on campus are to the student body.