It has been a busy start to the spring semester at Mississippi State University’s Information Technology Services (ITS) with the requirement of Two-Factor Authentication for students, the introduction of a new student email domain and the switching of student worker emails from BullyMail to Exchange.
Last semester, ITS announced its plans to create a new student email domain, which would separate the students from staff and faculty.
ITS reached out to the Student Association (SA) to come up with an appropriate possible name for the new domain. According to Mayah Emerson, SA president, the SA conducted a poll with the possible domains to gather student input, and surveyors decided on @student.msstate.edu.
“ITS requested that the Student Association ask students their opinion, and that is what we did,” Emerson said. “Out of the four choices, choices generated by students, student.msstate.edu was the clear winner, with almost 1,000 students selecting it as their number one choice.”
The other options on the poll included @1878.msstate.edu, @dawgs.msstate.edu and @maroon.msstate.edu.
Emerson said she is grateful ITS reached out to gather student input.
“With all of the changes happening on our campus regarding technology, I am thankful that students were consulted every step of the way,” Emerson said.
ITS Security and Compliance Officer Tom Ritter said the change may take some time, but ITS is working on pushing it forward.
“We’re moving forward with making that work. It will take a while to actually complete that move,” Ritter said. “Think about all the data that comes out of banner and all that, so we quite a bit of backend changes, but we’re going to start making it available now.”
Email change to Exchange
In the ITS department’s newest email change, student workers were switched from a BullyMail email to a Microsoft Office Exchange account. The change, which happened in late January, was influenced by the way workers received spam.
“It all goes to Microsoft first, and then it lands in people’s mailboxes who are there, but we’re using Microsoft for our anti-spam engine for Google. So, it goes to there, gets classified as spam or not, and then gets sent over to Google,” Ritter said. “So what that meant was the students who were already in Exchange and had accounts, well it landed in their mailbox there. It never even makes it to Google.”
Ritter said the Office 365 program is extremely convenient in that one can have Exchange, Word and Excel all in the web, as well as One Drive, which is a web-based cloud system.
“We’re trying to simplify and make things cleaner,” Ritter said. “It’s still a pretty complicated email environment.”
Ritter said due to this change, regular BullyMail users who were not switched to Exchange will now see spam messages in their junk folder.
“Now you should look in your junk mail folder to see if there’s any messages that might have gotten configured as spam that you didn’t want to be configured as spam and you can white list them,” Ritter said.
Duo deemed a success
Since Jan. 15, students have been required to have Two-Factor Authentication through using Duo.
Ritter said most students had signed up before the deadline, and he considers the launch a success.
“I would say we had well over 75 percent of the students enrolled before even coming to the deadline,” Ritter said. “Students listened and signed up for it.”
Ritter said the number of compromised accounts are down considerably since the launch of Duo. However, Ritter said there is still a way to send mail without using two-factor, and account hacks are still possible.
“We still do have some compromised accounts. For example, just last week we locked a few accounts because somebody’s password had been posted on the web. That’s still a concern,” Ritter said. “There are still ways to send mail without sending two-factor, we’re shrinking that down and eventually there won’t be any way to send mail without it being two-factor.”
Ritter said another way for hackers to get in is for them to obtain a user’s password and then the user accidentally tap “approve” on the Duo app. Because of this, Ritter said any time a known password is exposed on the internet, the user’s account is locked.
“We’ve had a handful of those, but it’s been a very small number compared to the big numbers that we used to have,” Ritter said.
At this point, all current students are signed up with Duo.
Ritter said the number one complaint is people get new phones and cannot log in at first.
“We’ve not heard a lot of complaints,” Ritter said. “There is always the issue that, ‘I’ve got a new phone and I can’t log in.’ That’s now become a fairly common support request.”
Cameron Massengill, a junior computer science major, said he is not a fan of the new requirement.
“I understand why they did it, just to make sure we are securing our myState accounts, but at the same time, it kind of sucks just because I have to have my phone on me just to get into my account, and sometimes our phones are dead or we forget our phones and can’t get into our account when we need to, like to check our balance or to pay for something,” Massengill said.
Ritter explained this is what many people believe, but thankfully there is a way for users to log in without using their phones. It is more complicated though.
“Students can always log in. They can go to the 2fa.msstate.edu page and from there, that’s where you get a bypass code, so even if you’ve lost your phone, you’ve run over it with a truck… no matter what if you’ve gone through that you can generate, even without your phone, you can generate a passcode for 24 hours that’ll let you get in,” Ritter said. “You just have to answer a bunch of questions about yourself.”
The bypass code is a way for students, faculty and staff who do not have their phone on hand to still log in and get to their account, but Ritter said he does not recommend going through this process every login.
“We don’t really encourage you to use that all the time because you have to answer a whole bunch of stuff and then you’ve got to generate a code and it’s kind of a pain, but it’s convenient,” Ritter said.
Ritter said there have been no other complaints to ITS about Two-Factor Authentication, and its application has gone well since its inception at MSU.
MSU is currently the only school in the state utilizing this type of account security.
“We are very excited that we’re the only school in the state that’s doing it,” Ritter said. “We view it as a competitive advantage that we care about our students’ security, and we’re kind of leading the state in that element of user security.”