When Penn State announced in February that two-factor authentication would be mandatory by May 12, some students were less than enthusiastic about the prospect of a more cumbersome login to their accounts.

However, according to Penn State’s cybersecurity experts, one extra step will go a long way for students’ protection.

Penn State students often fall victim to a certain type of phishing scam, according to Don Welch, Penn State’s interim vice president for Information Technology and chief information officer.

When a student falls for a phishing attack, they give up their Penn State login credentials, and the attacker then gains access to their account.

Often, the attacker goes into the student’s LionPATH account and changes the credit card information used to pay student bills. Then, right before the semester begins, the attacker drops a large amount of classes, which triggers a refund to the credit card listed on the account — which is now the attacker’s credit card.

“So the student is now dis-enrolled and has lost money if the attack is successful,” Welch said.

That’s not all a phishing attack can do.

According to Richard Sparrow, Penn State’s acting chief information security officer, a student’s login information is more valuable than people realize. Once an attacker has student credentials, they can access a variety of systems and networks.

Attackers sometimes use a student’s email to contact other student email accounts and steal more credentials, and they also try to access Box and One Drive accounts.

Sparrow said Penn State has seen a “sharp increase” in these kinds of phishing attacks, and narrowly prevented a particularly bad one in January.

“We have thousands of accounts that are compromised every year simply because students get phished, or they use the same email and password as other accounts and those other accounts get hacked,” Sparrow said.

The best protection from these attacks, according to Welch and Sparrow, is two-factor authentication, also called 2FA.

Two-factor authentication means that a system requires users to authenticate their identity in two different ways.

“There’s three ways that you can identify someone,” Welch said. “Something they know, something they have, or something they are.”

“Something they know” would be a password, which is standard. “Something they have” is a phone or a USB drive. “Something they are” is used in biometric methods of authentication, like fingerprint or retinal scans.

By moving to two-factor authentication, Penn State will add “something students have” to their accounts, which are already password-protected.

The thing students have will generally be their phones, which will be equipped with Duo Mobile. When students sign into their accounts, they will press a button or receive a message or phone call to their phones or laptops.

Two-factor authentication has been mandatory for university employees since 2016, and was already optional for students, Sparrow said.

Penn State avoided mandatory 2FA for students for “as long as [it] could” because the university recognized its inconvenience, Sparrow said. However, the policy became necessary due to the prevalence of attempted attacks on student accounts.

“Everybody agrees that it’s a hassle, we shouldn’t have to [have 2FA],” Sparrow said. "We really have to blame it on the criminals.”

Fortunately, according to Sparrow, two-factor authentication is effective.

“Anywhere from 80-90 percent of data breaches and system compromises could have actually been reduced or prevented by actually using two-factor authentication,” Sparrow said.

Even if an attacker gets the username and password for a student’s Penn State account, they would not be able to log into that student’s account because they don’t have the second method of authentication.

Sparrow and Welch know that some students would certainly opt out of 2FA if they could, but they stand by the decision to make 2FA mandatory.

“[Students] are not just protecting themselves,” Welch said. “They’re protecting other members of the university community and the university.”

Welch noted that a student leaving their account unprotected has ramifications for more than just that student. An attacker can use one student account to “work their way through the system, gaining more and more access.”

“A phishing email sent by a Penn State account is usually more effective than a phishing email sent from a non-Penn State account,” Welch said.

The university’s initial press release announcing the new 2FA requirements noted that 2FA is becoming increasingly prevalent, and is now required at a number of B1G schools, including Nebraska, Michigan State and Minnesota.

Welch said 2FA’s prevalence is another reason it’s important to make the protections mandatory.

“One of the obligations that Penn State has is to prepare students when they graduate to go out and be successful in their careers and as members of society,” Welch said. “Cybersecurity is an important part of operating in the 21st century. Being familiar with common security tools is another aspect of [being prepared].”

Both Welch and Sparrow expressed hope that students will enable 2FA on their non-Penn State accounts and that the university’s decision makes students feel more comfortable taking that step.

Welch and Sparrow predicted that once 2FA is in place, students will be reasonably safe for the foreseeable future.

Sparrow noted that due to 2FA’s security and planned rule changes to require slightly stronger passwords, students should expect to experience one fewer hassle in the future.

“We’re going to move away from the annual [password] expiration,” Sparrow said. “We expect most students will have one password for their entire academic career.”

Sparrow said the university is grateful for students’ compliance with the new policy. As of April 16, Sparrow said almost 40,000 students had enrolled in 2FA.

Students who have yet to enroll or would like more information can go to Penn State’s 2FA page. Failure to do so by May 12 will result in losing access to all university websites which require a Penn State account. Graduating seniors are not required to enroll.

“If you do the basics — so you keep your system and the software on it updated, you don’t use the same password in multiple sites, and you have multi-factor authentication — you’re probably pretty safe,” Welch said.