Accessing Your Student Link Data Will Take a New Extra Step

Accessing BU’s Student Link will become a two-step process February 5 as the University seeks to boost privacy protections. Photo by Jackie Ricciardi
Accessing Your Student Link Data Will Take a New Extra Step
BU implements two-step authentication to protect University community from online scammers
BU is reinforcing one wall around student privacy to thwart phishers. Starting at 6 am on Wednesday, February 5, the University is requiring a two-step authentication process for students to view their financial, academic, and institutional data in BU’s computer system via the Student Link.
Duo Security, the new sentry guarding student information, has been used for six years by University employees when accessing BUworks, which stores direct-deposit banking, payroll, and tax withholding information and other personal data. It was implemented to protect employees from online scammers.
The Duo process will require students to log in to the Student Link with their usernames and Kerberos passwords, as in the past. Then they will be asked to confirm their login, either via a smartphone app, an automated call to a mobile or landline phone, or a text message to a cell phone. Students will be guided by prompts to set up Duo by enrolling early via the prompt currently on the Student Link or when they try to log in to the Student Link starting February 5. FAQs about the new Duo system for Student Links can be found here. Eric Jacobsen (CAS’93, MET’03), the University’s executive director of information security, answered BU Today’s questions about the new protocol.
Q&A
With Eric Jacobsen
BU Today: Why did the University decide now that this was needed for the Student Link? Are there phishing cases involving students that prompted this?
Jacobsen: The plan to provide Duo two-factor authentication to our student community has long been a goal of the Information Security team. Recent events, such as the Chegg breach, are a good example of why it’s paramount to do this. The 2018 breach of California textbook rental site Chegg compromised the addresses and passwords of millions of users, although the company says no financial information or Social Security numbers were stolen.
The addition of Duo would help prevent breaches like this from impacting student records in the future. All of our peer institutions are currently employing some form of two-factor authentication, with the majority of them using Duo. They include Boston College, Northeastern University, Tufts University, Brown University, Case Western Reserve University, Columbia University, Emory University, New York University, Northwestern University, Syracuse University, the University of Miami, the University of Rochester, and the University of Southern California
Wired had a story saying that while two-step enhances security, it’s not perfect. Is it fair to call it current best practice with online security, and what precautions would you advise students to still take, so as not to let their guard down?
No solution offers 100 percent protection. That is why we all have to take an active part in our own online security. That includes monitoring accounts for suspicious activity, thinking before you click on links, and employing security best practices.
Two-factor is a top recommendation that allows users to take an active part in their security. Two factors will always be better than one. Google engineer Grzegorz Milka says the number one thing most people can do to protect themselves online is to enable any type of two-factor authentication for their important accounts.
Is it true that the Duo system for the Student Link, as with BUworks, does not require a smartphone?
Correct. With Duo, you can use a smartphone, tablet, text, or landline. We recommend the smartphone app over the other methods.
Will BU employees who need access to the Student Link also use Duo?
Yes, staff who take advantage of tuition remission and are taking classes must log in to the Student Link to register and access grades. We do not have a number [of how many such students BU has], but this process will not look any different than it does for BUworks today.
Comments & Discussion
Boston University moderates comments to facilitate an informed, substantive, civil conversation. Abusive, profane, self-promotional, misleading, incoherent or off-topic comments will be rejected. Moderators are staffed during regular business hours (EST) and can only accept comments written in English. Statistics or facts must include a citation or a link to the citation.