MyUSD portal updates security, changes interface
Due to nationwide threats to students’ financial aid returns, the MyUSD portal has undergone changes with security updates. The new Desire2Learn (D2L) interface also launched last May.
The single-sign-on functionality on the MyUSD portal was abandoned as a preemptive security measure after the U.S. Education Department’s Office of Federal Student Aid issued a warning, Joe Reynoldson, IT security officer, said.
“It’s called direct deposit fraud,” Reynoldson said. “The idea is that you steal a student’s credentials, you log into the student portal, you change the direct deposit number associated with your refunds to the financial aid and then when money is refunded to the student it actually goes to the attacker instead.”
The warning stated attackers were taking advantage of single-factor authentication for access to institution systems, a common practice of universities.
“Single-factor authentication is the simplest method of authentication where a person uses only one credential to verify him or herself online; usually the one credential is a password matched to a username,” the Financial Student Aid warning stated.
Before the update, with the single sign-on channel students could access applications like D2L and WebAdvisor directly from the MyUSD portal without having to log in with a different credential.
Cheryl Tiahrt, Assistant Vice President of Technology, said the University decided to replace this process with links to the separate applications where an additional login is required.
“So the single sign-on channel is now just a quick links channel,” Tiahrt said. “That’s the basic difference.”
Reynoldson said the reason for the additional login is “the credential that gets you into the portal is not the credential that gets you into WebAdvisor and D2L.”
“So what we decided was that you wouldn’t be able to get into their system just by compromising the USD credential right so now you would have to compromise two different credentials to get into that portal,” Reynoldson said. “The credentials that you use for the university are much more public because they’re associated with your email address.”
Some students use their university email addresses for social media accounts and a security breach for those sites often leads to leaked passwords.
“Attackers then go and take those passwords, correlate them to people’s email addresses and because people tend to reuse their password they’ll go try it to see if they can log in so that’s one of the ways that attackers get into your account is if you’re reusing the same password for multiple accounts,” Reynoldson said.
In addition to the new security measures USD has enforced, Reynoldson recommends students use a password vault.
“In order to make sure that you have a different password that is strong for every online identity you want to use a vault so that you only have the one very strong password to remember to get into the vault and then the vault is what actually puts the password into the system,” Reynoldson said.
Returning students and faculty may have also noticed changes in the D2L system.
A new user interface, Daylight, was put in place last May to make D2L more accessible on mobile devices, said Tiarht.
“The My Courses widget and the layout of the course home and My Homepages were changed and it was necessary to do that in order to make it friendly for these other devices,” Tiahrt said.
Tiahrt doesn’t expect another major change to D2L besides the continuous improvement cycle, which updates D2L with monthly, incremental changes.
She also urges students to contact the IT help desk if they experience any issues with the recent changes. She became interested in learning the process of finding the best password manager for Mac to be able to protect the passwords of everyone.
“It’s good for us to know what kind of issues and questions exist. If we don’t see those, then we don’t know where we should concentrate,” Tiahrt said.