Bringing Multi-Factor Authentication to Our Students

In Spring 2021, we moved to protect our entire student population with multi-factor authentication (MFA). We rolled out MFA to more than 47,000 students in five waves, with the last group of accounts activated on April 9, 2021. As of today, 100% of SJSU accounts are protected with MFA.  

Our data shows that MFA works at SJSU. From September 2020 to February 2021, just before the student rollout, MFA blocked access almost 100,000 times, which is 4.6% of all attempted logins during that time span. Recently, other campuses without MFA have been attacked through unprotected student accounts. 

Protecting our student accounts with MFA is a major part of our strategy to be one of the most secure campuses in the country. Attackers have started playing the long game. They’re gaining access to student accounts, targeting people majoring in fields that are high income or who may have access to valuable research. Once they have passwords that work and access they can use, they wait five, ten, or more years to use that access to ransom user data or get into secure corporate systems. MFA for our students isn’t just about protecting them while they’re on campus, but protecting them when they’re alumni. 

There are lots of people in SJSU IT who worked on this rollout, but we couldn’t have done it without the support of Student Affairs, especially Robb Drury and Bonnie Sugiyama. I want to call out Maggie Panahi, Jason Ferguson, Sharon Watkins, Alfred Eclipse, Tristan Orlino, Andy Trembley, and James Anderson for their contributions. 

Best regards,
Bob Lim

Cybersecurity Newsletter for Fall 2020

Dear SJSU Community,

With the transition to remote modalities, most of you are now learning, teaching, and working from home without the protections of SJSU’s fortified network. This coincides with an uptick in cybercriminal activity as malicious attackers look to prey upon our uncertainties and anxieties. We want to help by giving you the tools and resources to protect your digital life.

Security is very important for us. It’s one of our driving goals, as outlined in President Papazian’s Transformation 2030 strategic plan. We want to be the safest university in the country. And it’s even more important to us today as we look outside traditional answers to protect you off-campus.

Sophos
We’ve partnered with Sophos, our campus antivirus vendor, to secure Sophos Home Premium licenses for faculty, staff, and students. Sophos Home Premium is an industry-leading, AI-enabled antivirus tool with features like real-time antivirus monitoring, ransomware protection, privacy & identity protection, and more. Home Premium usually retails for $60, but you can use your @sjsu.edu email account to download and install it for free on up to 10 computers.

DOWNLOAD SOPHOS

Duo Multi-Factor Authentication
As of December 2019, all faculty and staff were required to have Duo Multi-Factor Authentication on their SJSU accounts. Adding an additional layer of security by requiring login confirmation from a mobile device has made their accounts much, much more secure. In April, we opened up this option for students who wanted to protect their accounts from malicious agents. Over the next year and a half, we’ll be gradually requiring students to enable Duo on their accounts. If you’re a student, we highly encourage you to sign up early and protect your account today. Plus, if you enroll in Duo, we’ll extend your password renewal timeline from 180 days to two years. You can learn more about Duo and how it works on our Duo for Students website.

GET DUO

LastPass
A strong password is the first line of defense for your account. We’ll be partnering with LastPass to provide premium password management software for all SJSU students, faculty, and staff. We all know that we should have different passwords for every account we have everywhere. Still, all those passwords can be hard to remember and continually coming up with new ones feels like an uphill battle. LastPass will suggest, store, and autofill extra-secure random combinations of numbers, letters, and symbols for all of your accounts. Because LastPass encrypts all of your passwords, it’s much more secure than keeping them on a notepad or Google Doc. We’ll follow up with you on where and how to add SJSU LastPass to your devices later this semester.

Constant Vigilance
The first, best, and most effective defense against malicious actors is always you. The SJSU IT Information Security team has resources, training, and help for you to become a more critical user. I encourage you to explore our website, sign up for a Zoom training, and try some of the available security tools.

SJSU IT INFOSEC WEBSITE

Thank You
I know that not everybody finds information security as exciting a topic as I do. So I want to thank our entire university, all the way from incoming frosh to President Papazian, for taking data safety so seriously. Together, we can make SJSU the safest campus in the country.

Regards,
Bob Lim
VP of Information Technology
and CIO at San Jose State University

Hien Huynh
Information Security Officer
SJSU IT

SJSUOne Password Extension with Duo – It’s Free

We’ve heard the feedback from faculty and staff about password security and have made changes to how often password renewals will be required. Starting with our initial pilot rollout, if faculty or staff have Duo Two-Factor Authentication (2FA) active on their SJSUOne account, their password won’t expire for two years. That means no more email reminders every 180 days and no more locking yourself out when you inevitably forget it the next morning. Our goal is to always find technology solutions that add more value — that’s the competitive advantage that SJSU IT offers.

Two-Factor Authentication adds a second layer of security to your SJSUOne account. By verifying your identity using a second factor (such as a key fob or your mobile device), 2FA makes it much more difficult for anyone else to log into your account, even if they know your password.

Signing up for Duo is easy and free. Learn more about Duo 2FA and fill out the registration form on our Duo@SJSU webpage. We’ve already made enrollment mandatory for university staff, and we’re aiming to have all faculty enrolled in Duo by December 1, 2019.

We greatly appreciate everyone’s diligence and support in protecting our students’ data and enhancing the security of our campus. Thank you for your continued help and support.

Thank you,
Bob Lim