After nearly 20 college students employees, faculty and staff saw their paychecks stolen since the College began using Workday to manage employee finances and payments in January 2016, Bowdoin Information Technology (IT) rolled out a two-step authentication, which became mandatory on Tuesday. Five of the stolen paychecks happened within the past two months, according to IT Security Officer Eric Berube.
When hackers gain access to an employee’s Workday account, they can change an employee’s direct deposit information fraudulently, as well as access social security numbers, tax information and other sensitive information. Berube said protecting that information, as well as employees’ paychecks, prompted IT to require two-step authentication for Workday.
Two-step, or two-factor, authentication complicates the login process, which makes hacking less likely. The first step is the individual’s password, while the second step works through a system called Duo. Employees can download the Duo Mobile app on their phone and receive push notifications whenever they log into Workday. The app can remember browsers for up to 30 days. Berube noted that the College has been using Duo for security for about two years on an opt-in basis.
Individuals who do not have a smartphone can use a physical object, such as a USB key, to verify that the login is not fraudulent.
“For the most part, once you get folks using Duo they generally really tend to like it,” Berube said.
He noted that certain college employees, particularly those in Human Resources and Finance, began using two-step authentication shortly after the College switched to Workday.
“Obviously they feel really good about it because they know that if they were to lose their password, that somebody can’t get in and do much larger bad things,” he said.
IT has also recently dealt with over 60 hacked student email accounts, creating a vulnerable situation for Workday due to Bowdoin’s “single sign-on.” Single sign-on allows students, faculty and staff to use the same username and password for all College accounts, explained Berube.
Two-step authentication is currently available but not required for Office 365, which students and staff use to access their emails.
“We try to make it easy by tying everything together, so we try to reduce the number of times you have to log in, but ultimately that creates a vulnerability that if you lose your password, [hackers] have access to a lot of things,” said Berube. “So that’s why with two-step, you prevent that entirely.”