Iowa State Sees Decline in Compromised Accounts Following Okta Rollout

Less than a year after the implementation of identity and access security platform Okta, the Iowa State University community has experienced a nearly 50 percent decrease in the number of staff and student accounts compromised by phishing, following a seven-year high in 2017.  

Due to the amount of research data, personal information, and staff and student accounts it hosts, Iowa State is an attractive target for hackers looking to obtain information or funds through fraudulent texts, emails, and phone calls known as phishing attacks. In 2011, 94 Iowa State accounts were compromised by phishing attacks and blocked, followed by 70, 162, 548, 374, 430, and 583 from 2012–2017, respectively. Another 1,994 phishing messages were reported directly to the Information Technology Services (ITS) Security Team in 2017. 

The rate of attacks and number of accounts compromised prompted ITS to add another form of security to protect personal information and identities on campus through Okta, put in place in early 2018. Okta is a cloud-based service that employs multifactor authentication (MFA), which introduces another step to the login process, such as a single-use security code texted to the user, or a phone call.  

“Phishing happens every day,” said ITS Security Analyst Andy Almquist. “It’s a means of gaining bank account information, passwords, personal information, and money. It’s an issue everywhere, and Iowa State is not immune. But MFA complicates the process of using stolen passwords to access the electronic workspaces associated with them.” 

Currently, 462 faculty members and 1,409 staff members have enabled MFA for their Iowa State accounts, with a target date for 100 percent enrollment set for March 1. Nearly 3,000 students have already enrolled as well, and the number of accounts compromised by phishing over the past year reflect the change across campus. As of Dec. 2018, a total of 230 accounts had been compromised over one year's time, a noticeable decrease from 583 in 2017. The ITS Security Team received 1,183 reports of phishing messages in 2018, compared to 1,994 in 2017 and 1,783 in 2016. 

According to ITS Systems and Operations Manager Darin Dugan, no one using MFA has been compromised. The Okta identity management platform uses MFA for its dashboard, which gives users one-click access to their web-based programs and applications without additional logins. Users can customize their Okta dashboards with access to their most-used applications. MFA is available to anyone at Iowa State, and all campus community members are encouraged to enroll in it. 

“Multifactor authentication is critical to protecting individual and university data,” Dugan said. “Passwords can be cracked, stolen, or given away. Good secondary factors cannot.” 

All suspicious communication — emails, phone calls, or texts asking for passwords or personal information — from unknown sources can be forwarded to the ITS Security Team at