Last week, Cornell University announced that several members of its community were victims of a phishing scheme. Using university IDs and passwords, hackers logged into Cornell’s payroll system and changed banking and account numbers for several employees so that direct deposits would be redirected elsewhere.
dance steps
Man’s foot positions for the basic rumba dance step. Image via AaronOReilly.

Cornell officials encouraged everyone who is paid by the university (faculty, staff, and students) to verify their financial details and strongly recommended — but did not require — everyone to begin using use a two-step login process. According to John Sack at HighWire Press, Stanford University has required two-step authentication since 2013 after it suffered a massive data breach.

Stories of cybercrime are so common today that they no longer make headline news. Unfortunately, university network security has historically been lax, reflecting the open culture of academe. At most institutions, a single login and password will get you access to your email, grades, human resource, and financial information, along with access to your library’s subscriptions. Last week, Jack Ochs described a sophisticated and sustained attempt to steal journal content from the ACS using compromised university credentials. I’ve heard personally from another publisher of systematic robot activity and would not be surprised that many publishers are the target of similar attempts to scrape and download their entire content.

All of the popular tools that we use everyday (Google, LinkedIn, Twitter, Facebook, WordPress, Instagram, among others) require two-step authentication when you sign up or attempt to change your account, and many offer it for everyday use. Personally, I find it odd that universities, who store data much more valuable than recipes, selfies, and cat videos are slow to require it — at least for individuals who are not physically present on campus.

While universities may not be motivated to change their authentication model for the sake of publishers, a stronger system will unquestionably make it harder for Sci-Hub and other future iterations of pirate websites to use compromised accounts to build their collections. For publishers, this is a a beneficial step. However, there may be an unintended consequence to adding another step to the authorization process. Off-campus users, who presently find their institution’s authentication process exasperatingly complicated, may be further driven from using authorized library resources. Adding more security to campus networks may unfortunately drive more authorized users into the shadows.

Universities have been very late to the two-step dance, but fashionably late may be better than not attending at all.

Phil Davis

Phil Davis

Phil Davis is a publishing consultant specializing in the statistical analysis of citation, readership, publication and survey data. He has a Ph.D. in science communication from Cornell University (2010), extensive experience as a science librarian (1995-2006) and was trained as a life scientist.


10 Thoughts on "Two-step Authentication: Finally Coming to a University Near You"

I agree with the article. Publishers are also taking steps to track compromised usernames and passwords by being part of The IP Registry. The Registry, with over 1.5 Billion IP addresses can track log ins and alert users to misuse. The whole industry needs to work together to stop this action and reduce the articles that the likes of Sci-Hub are stealing every day.

This summer, RedLink is introducing the RedLink Network. RedLink Network is run by a public benefit company of the same name. Its advisory council can be seen here:

RedLink Network will allow libraries to use two-step authentication to manage their access credentials, broadcast IP and other changes (Shibboleth, branding) to publishers with one click in a secure manner, and connect with service representatives at publishers so that they receive optimal customer service in a secure network. It also will allow libraries and consortia to manage their hierarchical relationships within the network.

RedLink Network will be free for libraries and publishers to join RedLink Network. Because it will be both secure and actively managed, RedLink Network will remain current and also help to ensure access integrity. Preventing misuse of credentials is the first major step, which RedLink Network is positioned to deliver.

The decade of infrastructure build continues, from CrossRef to ORCiD to CHORUS to RedLink Network.

A note on today’s comments: we usually have a policy that moderates out comments that are seen as “advertisements” or self-promotion of one’s products. Today we’ve decided to make a one-time exception to that rule–many publishers are struggling with how to move forward on critical infrastructure issues around security and authentication, and it’s helpful to hear that there are solutions available. So have at it, but be reasonable….

Apologies if my comment came across as a pitch but my point is that Publishers need a means of tracking the misuse in their internal systems. The likes of Sci-Hub and copycat Sci-Hubs are very clever in extracting usernames and passwords — sometimes users have no idea they have been compromised; sometimes they actively hand over their credentials. This is not about the maintenance of IP addresses but how to track misuse. If the industry can reduce the number of articles that the Sci-Hubs in the world can take, it will reduce its usefulness and currency and hopefully users will revert to their own library catalogs and not be tempted to search for articles on fraudulent services. We must stop the wholesale theft of articles from all publishers, especially small societies who rely on the income from their subscription sales to carry out the crucial work they do on behalf of their members and science as a whole. The theft also impacts OA publishers who have no authentication but who also have their licenses violated. They would really benefit from a way to examine internal systems to spot misuse.

Case Western Reserve University started using 2-factor authentication with our VPN access in early 2015. The library and campus IT partnered on the “messaging”. Library had IT folks “on call” and do several demos for various student audiences to make sure researchers were not avoiding resources due to the extra hurdles.

I don’t disagree that two-factor identification is important (I use it on my own google accounts for example) but after working as an instruction librarian at a university that went to two-factor for databases it was very irritating (only two factor for staff and faculty). Nothing worse than teaching a class and repeatedly need your cell phone to verify access to the databases…..

I don’t understand why being “physically present” on campus is significant. Many employees might be technically on campus, but still accessing systems on wifi eg through eduroam.

Two-step authentication often imposes additional time and hassle to the user. If you can reasonably be assured that the old guy who has occupied the same corner office for the last 30 years is a tenured professor, it seems reasonable to assume that his physical presence is a form of authorization. Similarly, many university libraries located in cities authenticate patrons as they come through the door by asking for their IDs. For these individuals, it may be reasonable to drop an additional step of online authorization. For roaming/off-campus users, it is much harder to prove their identity with just a username and password.

Comments are closed.