November 2017 Advocate: Concerns about ITS’ plans to change login procedures
Why I’m concerned about ITS’ plans to change login procedures to “single sign-on” and “2-step verification”
by Tom Broxholm, Automotive Technology, Skyline College
Do you have one user name and password that you use for multiple logins? Do you use your email password to login to any other SMCCD applications (e.g. Canvas?) Then you are using single sign-on. Single sign-on can make our life simpler but it can also make us more vulnerable and possibly compromise our personal security.
Do you use the same user name and password for your online banking and credit cards that you do for Amazon, Facebook, Twitter, etc.…? If you ask your bank or credit card company they will advise you not to. When you use one user name and password for everything, all a hacker needs to figure out is that one password and then will have the keys to your kingdom. Your user name and password should definitely be different for applications with financial and other information that should be kept highly secure.
What does this have to do with SMCCCD faculty? I’m on the Technology Committee at Skyline College and single sign-on was raised in one of our meetings. To me this sounded good until I heard that Websmart would also be included in the single sign-on list. I am concerned because our personal and financial information is included in Websmart and it should not be part of single sign-on. As a member of this committee, I feel that I represent all faculty that can’t attend. When something this big can have such an impact on everyone in this district I felt it was important to inform and educate all of my colleagues.
I did some research and discovered Bruce Griffin, Edgar Coronel and Jasmine Robinson at the District IT department were the main players heading up the single sign-on feature. I expressed my concerns with Bruce and the IT team. I was told that an extra layer of protection called 2-step verification would be implemented for Websmart. 2-step verification requires two different forms of identification, e.g. your password and the answer to a secret question (that you previously answered.) Even if someone else finds your password, they’ll be stopped if they don’t have access to your second identification info.
2-step verification is good for certain situations, but sometimes I log into Websmart multiple times within a short period of time. 2-step verification would make my job more difficult and time consuming and it defeats the purpose of the simplicity of single sign-on. I’m in favor for single sign-on, just not for Websmart. I’m advocating that the District allow us to exclude Websmart from single sign-on and allow us to continue to access Websmart with a separate password.
Hopefully everyone is using a strong password for Websmart. If not here are a few simple rules. Minimum of 8 characters, use a mix of upper and lower case letters, use at least one number and one symbol. Stay away from birth dates, home addresses and zip codes. If you are concerned as I am, I recommend that you take a moment to communicate your concerns to the IT department. Maybe if enough of my colleagues feel the same way and communicate this to our IT department our security and logon simplicity can be optimized. Simplified and personal information can be secured without the need for 2-step verification.