Data security is a concern for corporations of all sizes, government organizations, and schools. Hackers target higher education institutions for their intellectual property, personally identifiable information, and financial information. The California Department of Justice considered MFA as “reasonable security procedures and practices…to protect personal information from unauthorized, access, destruction, use, modification, or disclosure.” The College is expected to meet "reasonable security" or risk being liable for negligeance in case of data breach. According to the California Department of Justice 2016 Data Breach Report, in the last four years, nearly 50 million records of Californians have been breached and the majority of these incidents resulted from security failures. The Office of the Attorney General recommended:
Organizations should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information. This stronger procedure would provide greater protection than just the username-and-password combination for personal accounts such as online shopping accounts, health care websites and patient portals, and web-based email accounts.
The College of Marin's IT Department takes cybersecurity threats very seriously, and we need your support and contribution to keep the College data safe. In alignment with our strategic goals, we have been working to add a layer of security while using online accounts. You may already be using MFA solutions with your bank, credit card, or even commercial email accounts.
What is Multi-Factor Authentication (MFA)?
MFA, also referred to as two-factor authentication (2FA), is a method of system access control in which a user is only granted authorization after successfully providing a second authentication method beyond the basic username/password. A user is required to enter a password and also authenticate using a second factor, typically a cell phone (to receive a verification code). The concept is based on:
- Something you know – your MyCOM username and password
- Something you have – your mobile phone (also altername email address to accomodate users without phone)
- Prevents unauthorized access to your information
- Protects College data, even if a MyCOM username and password have been compromised.
- Helps identify compromised credentials before they are misused.
- Provides options for your second authentication factor (phone or email)
MFA deployment and next steps
We are deploying this recommended security enhancement for our web-based services. The enhancement will allow additional protection through the use of text and email verification codes.
You may expect the following this Summer 2018:
- Users may receive verification codes via email or text. To register your mobile device, please use the Security Profile section in the MyCOM portal
- Users that have forgotten their MyCOM password should use the First Time Users link, as the Reset Password link cannot be used until secret answers are captured in the new system
- Depending on location, browser, device, and other factors, users may or may not be prompted for a verification code off campus.
Q: What will be the user experience starting December 27th 2017?
A: Users will be prompted to provide new secret answers and an alternate email address the first time they log back into MyCOM.
Q: What if a user forgot his/her password?
A: Users should complete the First Time Users process to reset their password. Reset Password cannot be used until secret answers are captured in the new system
Q: What if a user forgot his/her password and has no alternate email address on file?
A: Users must contact IT Support (firstname.lastname@example.org or Ext. 8888).
Q: Will verification codes be required on campus?
A: NO, we will create an exemption for COM networks.
Q: Will verification codes be required with every login off campus?
A: NO, the vendor's algorithm will detect when to apply MFA based on unfamiliar or suspicious traffic.
Q: What if a user prefers to use a cell phone to receive verification codes?
A: When MFA is turned on, users will have both email or text options to receive the verification codes. To register your mobile device, please use the Security Profile section in the MyCOM portal.
Q: Why am I receiving communication from QuickLaunchSSO?
A: QuickLaunchSSO is our MFA vendor.
Q: Why are my verifications codes delayed? I don't have enough time to enter my verification code.
A: The District does not have complete control of message delivery to your external email provider. While verification codes are sent immediately, some email providers take longer to deliver messages. Often, SMS text messages are delivered faster than email messages. If you have a mobile phone, you are encouraged to register your phone number using the Security Profile section in the MyCOM portal. If email delivery is your only option, please open your mailbox in another browser window/tab before you log into the MyCOM portal. This step should cut down on the time needed to retrieve your verification code.
Q: Why am I getting an invalid verification code?
A: Verification codes are only active for 10 minutes after they have been sent. Please allow some time for the verification code to arrive. If you click resend to generate another verification code, be sure to use the latest code sent. Carefully type your verification code to ensure accuracy.
Q: Why am I getting prompted repeatedly after I've completed MFA verification on my device?
A: MFA stores a number of factors for your device, such as IP address, browser version, location and others. If any of these factors change, you will be prompted to re-verify your device. Don't forget to click the "Trust this device" if appropriate.
For help, please send an email to email@example.com or call Ext. 8888