In Spring 2021, we moved to protect our entire student population with multi-factor authentication (MFA). We rolled out MFA to more than 47,000 students in five waves, with the last group of accounts activated on April 9, 2021. As of today, 100% of SJSU accounts are protected with MFA.
Our data shows that MFA works at SJSU. From September 2020 to February 2021, just before the student rollout, MFA blocked access almost 100,000 times, which is 4.6% of all attempted logins during that time span. Recently, other campuses without MFA have been attacked through unprotected student accounts.
Protecting our student accounts with MFA is a major part of our strategy to be one of the most secure campuses in the country. Attackers have started playing the long game. They’re gaining access to student accounts, targeting people majoring in fields that are high income or who may have access to valuable research. Once they have passwords that work and access they can use, they wait five, ten, or more years to use that access to ransom user data or get into secure corporate systems. MFA for our students isn’t just about protecting them while they’re on campus, but protecting them when they’re alumni.
There are lots of people in SJSU IT who worked on this rollout, but we couldn’t have done it without the support of Student Affairs, especially Robb Drury and Bonnie Sugiyama. I want to call out Maggie Panahi, Jason Ferguson, Sharon Watkins, Alfred Eclipse, Tristan Orlino, Andy Trembley, and James Anderson for their contributions.