In Spring 2021, we moved to protect our entire student population with multi-factor authentication (MFA). We rolled out MFA to more than 47,000 students in five waves, with the last group of accounts activated on April 9, 2021. As of today, 100% of SJSU accounts are protected with MFA.
Our data shows that MFA works at SJSU. From September 2020 to February 2021, just before the student rollout, MFA blocked access almost 100,000 times, which is 4.6% of all attempted logins during that time span. Recently, other campuses without MFA have been attacked through unprotected student accounts.
Protecting our student accounts with MFA is a major part of our strategy to be one of the most secure campuses in the country. Attackers have started playing the long game. They’re gaining access to student accounts, targeting people majoring in fields that are high income or who may have access to valuable research. Once they have passwords that work and access they can use, they wait five, ten, or more years to use that access to ransom user data or get into secure corporate systems. MFA for our students isn’t just about protecting them while they’re on campus, but protecting them when they’re alumni.
There are lots of people in SJSU IT who worked on this rollout, but we couldn’t have done it without the support of Student Affairs, especially Robb Drury and Bonnie Sugiyama. I want to call out Maggie Panahi, Jason Ferguson, Sharon Watkins, Alfred Eclipse, Tristan Orlino, Andy Trembley, and James Anderson for their contributions.
We would like to remind you of a security threat that is never far away: Phishing. During a phishing attack, a scammer disguises their email to look like a legitimate message from a colleague or company in an attempt to trick you. The goal of the phishing email is to have you click on a link or open an attachment that will ask you for sensitive or confidential information. Find information on how to spot phishing emails on our safe computing pages.
Signing up to use two-factor authentication with Duo helps keep your account safe. With Duo, you’ll be protected when somebody attempts to use your account through Okta single sign-on or other Duo-integrated apps (such as a VPN client). You can learn more about Duo and sign up for it early here.
Impersonation alerts are another useful feature, available on the Gmail website and in the Gmail apps for iOS and Android. These alerts will help remind you to be vigilant about suspicious emails, but they work best when you’re using your SJSU email account for university-related communication. If you see this alert, take a moment to review the details of the message, referencing our safe computing tips.
The single best way to protect yourself is to stay vigilant and use common sense. Oftentimes, phishers will impersonate figures of higher authority. But if you ask yourself, “When’s the last time the President emailed me directly?” and the answer is “Never,” that should raise a red flag. If you ask yourself, “I thought the President had better grammar/punctuation/spelling?,” that should raise a red flag. If you see these kinds of suspicious emails, use the Report Phishing feature in Gmail.