Student multifactor authentication campaign achieves 100% activation rate

Information Technology Services (ITS), in partnership with communications colleagues across campus, successfully delivered a robust communications campaign throughout October, encouraging student Cyclones to activate multifactor authentication (MFA). As of November 13, all Iowa State students had been activated.

While all Iowa State faculty and staff currently use multifactor authentication, the two-step login system that increases the security of users’ Iowa State accounts, students had the option to voluntarily enable the security feature. ITS began encouraging student MFA activation in March with plans to require the two-step login later that month. However, with the transition to remote working and learning, the plans were delayed until October.

To prepare for the October campaign, the ITS identity services, IT security, IT Solution Center and strategic communications teams gathered to discuss potential challenges along with a project plan. In collaboration, the teams prepared and delivered targeted emails, social media posts, messaging in Canvas and on Okta dashboards, and also delivered a media kit to campus communicators which included content for newsletters and social media, graphics and digital display assets.

“It was important for us to avoid the jargon often associated with the tech world and help students understand why enabling multifactor authentication is really a great cybersecurity tool, especially now that they are spending so much time online,” said Scott Butterfield, ITS change manager.

All MFA communications outlined the various authentication methods used for login, which included push notifications through the Okta Verify app, text messages, phone calls, the Google Authenticator app and YubiKey tokens (a device similar to a USB drive). Okta Verify remains recommended method for ease of use.

Throughout the campaign, college communicators and local IT teams were kept abreast of activation progress. Additionally, ITS identity services created an interactive dashboard that allowed the project team to pivot activation data by college, year in school and major. This data was integral in scheduling the enforced activation for students who, by October 30, had not yet enabled MFA.

As the enforced dates, October 31 – November 13, coincided with the often-competitive class registration process, care was taken to ensure each student’s activation time did not conflict with their class registration process.

By the end of the month-long campaign, more than two thirds of all current students had activated MFA voluntarily, leaving just over 10,000 students remaining. During the two-week enforcement process, unactivated students received an automated prompt to enable MFA and were required to do so before again accessing their ISU accounts.

ITS teams closely monitored incident tickets submitted to the IT Solution Center regarding MFA setup during this period, and thanks to the comprehensive communications plan and published informational resources, fewer than 40 incidents were reported for the 10,000 enforced activations – a less than .5% call rate.

“This was a great opportunity to connect with communicators across campus,” said ITS communications manager Maggie Conner, “and while we introduced a little friendly competition between colleges - tracking who had the highest activation rate on any given day - there was a lot of collaboration behind-the-scenes.”

Now that all students have activated MFA, they are better protected against phishing, in the event they are tricked into sharing a password on a malicious site. Students are also better protected against password reuse, meaning if they use the same passwords for multiple sites and accounts, hackers cannot easily break into their primary, ISU email.

Going forward, ITS plans to develop and share resources to help the campus community capitalize on the benefits of using their Okta dashboard to access their accounts.

For more information about what you can do to increase the security of your devices, check out the Securing Your Devices article in the IT Portal.