Duo two-step login will become mandatory for all Oregon State University students beginning fall and winter term. 

Each student will have their own specific mandatory date which they can find online. Students will start receiving dates in late October, and they will continue until mid February. Duo is a two-step login system, also known as two-factor authentication. Duo protects OSU accounts by verifying the account holder’s identity with two forms of identification: a physical object, like a cellphone, and something private, such as a password. 

Erica Lomax, director of Identity and Access at OSU, said cyberattackers tend to target higher education.

“Two-step login is important because higher education is a prime target of cyberattack due to the volume of people, financial and research data that we have, the open access of our campus and services, and the collaborative way in which we operate,” Lomax said in an email. 

Lomax said that students often do not think that their account has anything worth protecting. That is not the case, as all student accounts have access to information which cybertrackers find of worth.

“All student accounts have access to resources that cyberattackers find valuable, including library journals, edu email addresses and computing resources such as web servers,” Lomax said via email. “In addition, your account can access your own information—your SSN on tax forms and your direct deposit banking information for financial aid and payroll.”

Lomax also gave some helpful tips for using Duo. Duo can remember your login information for up to 12 hours on the same device and browser. You may also have more than one registered Duo device, but you can only have one hardware token.

Duo will protect accounts and prevent cyberattackers from accessing valuable information. But two-step login will also be implemented due to an increase in the number of compromised OSU accounts.

A privacy incident occurred in the beginning of May this year. An OSU employee’s account was hacked and used to send phishing emails, a type of scam where criminals send an email that appears to be from a legitimate sender, and ask for sensitive information.The hacker had access to more than 636 student and family records.

David McMorries, the chief information officer at OSU, said the university was targeted by a criminal organization.

“The cyberattacker had the usernames and passwords for these accounts, and could therefore access information by impersonating OSU employees and students,” McMorries said via email. 

He said that Duo would prevent a cyberattacker from hacking, regardless of whether or not they had obtained account information to log in. 

“Any system that uses Duo prevents a cyberattacker from accessing those systems, even if they have usernames and passwords. Unfortunately, we found about 600 sensitive student and family records in a system that did not have Duo applied yet,” McMorries said in an email.

According to McMorries, October is Cybersecurity Awareness Month and students and faculty should know that higher education is being targeted by cyberattackers. Students have been receiving emails from people impersonating OSU staff or faculty with fake job offers. If you have concerns about the authenticity of any email you receive, you can forward it to [email protected] and the Office of Information Security can assist you.cyber C