Two-Factor Authentication: Necessity or Nightmare?

In accordance with Google’s two-step verification policy and the administration’s consultation with the United Federation of Teachers (UFT), Stuyvesant students were instructed on November 20 to add two-factor authentication (2FA) to their stuy.edu accounts. The 2FA requirement became enforced on November 26. 

The concept of 2FA had been making its entry onto the digital stage as early as 1996 but has become more common with the worldwide shift to online resources during the COVID-19 pandemic. 2FA attempts to secure accounts and users’ private data from online malactors. When logging into their account using 2FA, students must confirm that they are trying to access their account through a notification sent to their phones. 

In collaboration with the UFT, the administration decided that 2FA would be implemented for Stuyvesant accounts due to the greater security it provides for different stuy.edu platforms. “We are trying to be proactive to ensure student/staff data and personal info is secure,” Assistant Principal of Physical Education and Safety Brian Moran said in an e-mail interview. “Two-factor [a]uthentication is becoming the norm everywhere and we are looking to protect our Google domain, Talos, and Jupiter accounts.”

Students and teachers were instructed to set up 2FA on their e-mails before November 26. Those who did not set up 2FA before its implementation struggled to gain access to their stuy.edu accounts, causing difficulties for students and teachers. “[Government teacher Linda] Weissman was locked out too and some tech guy came in [...] and basically helped her get access,” senior Emily Wang said. “Then he showed her the list of everyone that was locked out. [It was so long that] they just kept scrolling.” If students did not set up 2FA in time, they were instructed to contact Technology Support Bryant Chu for information on how to set up 2FA. They would then be granted access to their stuy.edu accounts.

Cyberattacks are not a phenomenon unfamiliar to Stuyvesant students. Phishing attacks have been prevalent in the past, resulting in the administration warning students of these attacks’ dangers. “[Phishers] manually BCC’d the accounts on our StuySU mailing list with a link that led to a scam site,” Student Union Vice President Fin Ying said in an e-mail interview. “We sent out information and a cautionary message to the students to warn them of online safety.”

Students received a phishing e-mail from freshman Jaylenee Marin’s hacked stuy.edu account on November 8. The e-mail’s subject line read “Student Employment Service” and advertised a part-time or full-time survey-taking job. Linked in the e-mail was a Google Form where students could “learn more about the job” and fill out their personal information. An hour later, Ying e-mailed the student body, warning about the phishing e-mail. Despite this turbulence, Marin eventually regained her account. “I got my account back by going to the IT department and they helped me reset my account and set up two-factor authentication,” Marin said in an e-mail interview.

However, Ying is unclear if the phishing attack had any correlation with the implementation of 2FA. “That incident did tell [us] that we needed some type of stronger security system to ensure the safety of our students’ online safety,” Ying said. 

While many students have expressed inconvenience over the implementation of 2FA, the Stuyvesant administration believes security against cyber-attacks should be prioritized. “I feel the adjustment and extra step is worth it,” Moran said. “2FA is becoming more and more common and is something everyone will have to learn.”

Nevertheless, students experienced mixed reactions to the administration of 2FA. “Honestly, it’s a little annoying. When you’re trying to print something out [...] you have to log in [to the computer] but not only do you have to log in now, you [also] have to go on your phone to sign in again,” Wang said. “[But], it’s beneficial to prevent further hacks since it’ll be harder to log in to someone’s account.” 

Other students agree with this sentiment but also believe that there might have been better alternatives to 2FA. “While it is useful, I think there are probably easier methods to ensure accounts’ safety, like giving everyone a personalized code that they have to enter in addition to the password,” senior Ryan Peng said. “Or maybe make it so that I don’t need a separate device to complete the verification.”

Students also believe that they should have been given more autonomy in their choice to enable 2FA. “[Stuyvesant] should’ve made it ‘recommended’ instead of mandatory, because right now, a lot of people are forced to enable it when they really don’t want to, or they risk getting locked out of their accounts,” Peng said. “Having extra account security is nice, but having it enforced is like an antivirus software forcing you to do a full system scan every day.”

While the addition of 2FA occurred relatively quickly, the administration believes that everyone will be able to swiftly adjust to the change. “As with any change, there are likely to be minor inconveniences,” Moran said. “The [rollout] was intentionally gradual and after that minor adjustment, students [and] staff have been able to continue using all our platforms.”