Two-factor authentication rolls out for SF State faculty

With staff and faculty behind them, Information Technology Services are setting their sights on students


Lucky Whitburn-Thomas

Administration building located at the entrance of SF State on, March 15, 2021. (Lucky Whitburn-Thomas)

After over a year of COVID-19 related delays, Information Technology Services completed signing all SF State teaching faculty up for two-factor authentication two days ahead of its imposed Wednesday deadline. 

SF State faculty were already supposed to be using two-factor authentication this time last year following multiple cybersecurity issues across the 23 CSU campuses. While SF State staff were set-up with two-factor authentication in January 2020, the pandemic pushed back the launch of the program for teaching faculty. 

With the completion of faculty sign-ups, only students and community members remain to be added into the new system, according to Mary Morshed, information security officer at SF State.

“The big part is how do we roll out self service to help the students get on board quickly?” Morshed said. ITS is hoping to roll out two-factor authentication to the remainder of the campus community by early next year.

All of this begs the question: What exactly is two-factor authentication?

At its core, all two-factor authentication does is send a code to verify that the person logging into an account is the actual owner of said account. This can be done over text, call, email or through an app or physical token.

This system is used by social media sites such as Instagram, banks, dating apps and other online spaces that require you to enter a password. Andrew Roderick, the assistant vice president of Academic Technology, said that some students might recognize it from Sony’s PlayStation Online platform.

“PlayStation has been requiring two-factor authentication for quite a long time,”  Roderick said with a laugh. “I think many of our students are probably very familiar with getting their Sony Code as part of their gameplay.”

Two-factor authentication at SF State, along with other CSUs, is done through an app called Duo. For those without access to a smartphone or cell service, physical key fobs that display a PIN number can be provided as needed. Morshed said that there was even a device that allowed those who are visually impaired to forego typing anything in. 

PlayStation has been requiring two-factor authentication for quite a long time. I think many of our students are probably very familiar with getting their Sony Code as part of their gameplay.”

— Andrew Roderick

Nish Malik, the associate vice president and CIO of Information Technology Services, said one of the main pushes from the Chancellor’s Office to implement two-factor authentication was the amount of student, staff and faculty emails that were compromised and used for phishing emails. 

“The number of students falling for those phishing messages, especially the ones that refer to ‘earning $500 a week’ is quite sad and frustrating,” Malik said.

Both Morshed and Malik said that while the number of phishing emails has not changed much since the pandemic, the tactics have. 

“We’re seeing an increase in the bad actors targeting students for remote jobs,” Morshed said, “they’re more and more successful with that because it seems like the students are looking for that right now.” 

While staff and faculty are on board with two-factor authentication, getting around 28,000 students signed up may prove to be more of a challenge. Although Malik said he is hoping to roll out two-factor authentication to students early next year, he knows that Morshed and her team are working to get it out as soon as they can.

In the meantime, his message to students is that if it seems too good to be true, it likely is.  “No one’s gonna send you a message to enter your social security number and your password, [and then they promise] you’ll get a job for $3,000 a month,” Malik said. 

Check out ITS’s Phishing Guide here