Recently, ONU Information Technology began requiring students to use Duo Authentication when they sign into online campus services. In addition to the usual username/password combination on ONU websites, Duo Authentication requires either a text message, a phone call, or an in-app “push” to a student’s cell phone or another device to confirm their identity before logging in.
Duo Authentication is effective because it requires identity verification from two different sources–the text/call/push is delivered through an alternate channel than the traditional username and password, using Duo’s security system as an intermediate. This structure still works even if the student logs into Ohio Northern on the same device they authenticate themselves with; cryptographic techniques separate the digital channels.
Yet despite this, Duo Authentication has been received relatively poorly by the ONU student body. Anyone who has spent considerable time on campus over the past few weeks likely heard complaints from their peers about the system, and they have also likely developed a strong opinion. To help develop this article, a survey was sent out to all ONU students, hoping to gauge the average opinion of the student body. Northern Review received 778 responses at the time of writing (2 days after opening the survey), a little under one-third of the size of the student body. Below, please find a few graphs representing the results of this survey:
There are some interesting trends here. While every question yielded results indicating opposition to Duo authentication, two questions stood out as less polarizing than the other two: the students’ level of concern about their online security and their assessment of the extent to which Duo Authentication has made them more secure online. On their level of concern over online security, 266 students responded with a 3, 4, or 5 (high). On Duo’s efficacy, 219 responded 3, 4 or 5. This data equates to 34.2% and 28.1% of respondents, respectively. While this seems low, it is surprisingly high compared to the 115 (14.8%) who indicated a 1, 2, or 3 in terms of the inconvenience caused by Duo Authentication. This means a significant portion of respondents recognize the importance and efficacy of Duo Security yet also feel significantly inconvenienced by it. Considering that responses for the “overall satisfaction” question resemble the trend of the inconvenience question (only 174 responded 3, 4, or 5, making up 22.4%), it is also rational to conclude that many students’ satisfaction with their Duo Authentication experience derives more from the inconveniences they encounter than it does from considerations for online security.
I spoke with a few students to learn more about their experiences and to see whether they could further illuminate the survey results. One student, Emily Pacek, expressed conflicting opinions about the state of online security in ONU’s systems. She believes online security is important, and recognizes that the implementation of Duo Authentication has likely made ONU more secure. However, she also feels that pre-Duo levels of security were sufficient. Some of this uncertainty comes from her feeling that she doesn’t completely understand the mechanisms or benefits of Duo Authentication, saying to me, “I mean, I don’t know anything about cybersecurity.” This state of mind may have contributed to several ONU students’ tendency to consider the more immediate inconvenience, as demonstrated by the survey results.
While Emily’s stance seems to be a default of suspended judgment, others have had negative experiences affecting their view of Duo Authentication. One student, Nathan Carnevale, expressed frustration with Duo Authentication’s inconveniences. Although he also affirmed the importance of security on campus networks, he thinks the campus would be fine without Duo Authentication. He said that Duo “adds unneeded tension” to the classroom setting. He identified the necessity of cell phone use as being at odds with some of his instructors’ anti-phone classroom beliefs and policies. In addition, he shared a personal story in which forgetting his phone made him unable to log into an ONU website during class. He had to return to his dorm room to get it, causing what he estimates to be a seven-minute disruption from his classroom experience.
Another student, Robert Klise, has had a similar experience and holds similar beliefs to Nathan. When I asked his overall opinion, he said, “I absolutely have a major dislike for Duo.” He is irritated that doing homework sometimes requires multiple logins with Duo Authentication, and that the program will not remember a user’s device. In addition he shared an experience similar to Nathan’s: he has had instances where his phone running out of battery has made him unable to submit classwork items.
These latter two accounts share an interesting theme. They both indicate difficulties in maintaining a cell phone as a tool throughout the day, which hasn’t before been a practical requirement of enrollment at ONU. Interestingly, access to a cellular device is not stipulated in Ohio Northern’s student code of conduct. In this sense, a burden has been placed on the student body, extending beyond the bounds of the established student-institution relationship. It seems this is the source of the student body’s discontent, not anything inherent with Duo Authentication itself. This would explain the slight discrepancy between students’ evaluations of their online security and their overall impression of Duo Authentication. People tend to be averse to change. It is possible that if Duo Authentication had always been the policy of Ohio Northern, this brief investigation would have yielded different results. This means it is also possible that ONU will warm up to the idea given time.