Data security is a concern for corporations of all sizes, government organizations, and schools. Hackers target higher education institutions for their intellectual property, personally identifiable information, and financial information. The California Department of Justice considered MFA as “reasonable security procedures and practices…to protect personal information from unauthorized, access, destruction, use, modification, or disclosure.” The College is expected to meet "reasonable security" or risk being liable for negligeance in case of data breach. According to the California Department of Justice 2016 Data Breach Report, in the last four years, nearly 50 million records of Californians have been breached and the majority of these incidents resulted from security failures. The Office of the Attorney General recommended:
Organizations should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information. This stronger procedure would provide greater protection than just the username-and-password combination for personal accounts such as online shopping accounts, health care websites and patient portals, and web-based email accounts.
The College of Marin's IT Department takes cybersecurity threats very seriously, and we need your support and contribution to keep the College data safe. In alignment with our strategic goals, we have been working to add a layer of security while using online accounts. You may already be using MFA solutions with your bank, credit card, or even commercial email accounts.
What is Multi-Factor Authentication (MFA)?
MFA, also referred to as two-factor authentication (2FA), is a method of system access control in which a user is only granted authorization after successfully providing a second authentication method beyond the basic username/password. A user is required to enter a password and also authenticate using a second factor, typically a cell phone (to receive a verification code). The concept is based on:
- Something you know – your MyCOM username and password
- Something you have – your mobile phone (also altername email address to accomodate users without phone)
- Prevents unauthorized access to your information
- Protects College data, even if a MyCOM username and password have been compromised.
- Helps identify compromised credentials before they are misused.
- Provides options for your second authentication factor (phone or email)
MFA deployment and next steps
We are deploying this required security enhancement for our web-based services. The enhancement will allow additional protection through the use of text and email verification codes.
You may expect the following after December 27th, 2017:
- Users will have to provide new secret answers and an alternate email address in the new system for password recovery and access verification
- Users may also receive verification codes from mobile devices as they will be given the opportunity to register these devices during a later rollout
- Users that have forgotten their MyCOM password should use the First Time Users link, as the Reset Password link cannot be used until secret answers are captured in the new system
- The First Time Users process cannot be repeated. Please, remember the answers to your secret questions.
- The implementation of verification codes will come in a second phase later in the Spring Semester.
Q: What will be the user experience starting December 27th 2017?
A: Users will be prompted to provide new secret answers and an alternate email address the first time they log back into MyCOM.
Q: What if a user forgot his/her password?
A: Users should complete the First Time Users process to reset their password. Reset Password cannot be used until secret answers are captured in the new system
Q: What if a user forgot his/her password and has no alternate email address on file?
A: Users must contact IT Support (firstname.lastname@example.org or Ext. 8888).
Q: When will the new MFA module begin prompting for verification codes?
A: Later in the Spring semester
Q: Will verification codes be required on campus?
A: NO, we will create an exemption for COM networks.
Q: Will verification codes be required with every login off campus?
A: NO, the vendor's algorithm will detect when to apply MFA based on unfamiliar or suspicious traffic.
Q: What if a user prefers to use a cell phone to receive verification codes?
A: When MFA is turned on, users will have both email or text options to receive the verification codes.
Q: Why am I receiving communication from QuickLaunchSSO?
A: QuickLaunchSSO is our MFA vendor. All verification communications will display their signature.
For help, please send an email to email@example.com or call Ext. 8888