Recently, a ten-letter name has been frequently appearing on my favourite Facebook page, UniMelb Love Letters. Though I attend classes well-dressed every day, no secret admirers have yet addressed a love letter to me. The addressee of so many of these anonymous letters, as you may already know, is Okta Verify, the University’s newly compulsory multifactor authentication (MFA) app. However, the response to Okta Verify within the University community has been largely negative.

Why are we upset about the application?

On June 28, we were informed that the installation of Okta Verify had become compulsory due to increasing cyber threats to the University. The University spokesperson explained the decision, stating that Okta Verify “protects the student’s account from unauthorised access, loss of private data, and malicious use … This is keeping in line with best practice guidance from the Australian Cyber Security Centre (ACSC) and also as implemented by other large organisations including many Australian universities.”

However, the roll-out of Okta Verify has been problematic. Failure to install the extra application prevents us from logging into Canvas to submit an assignment on the due date, along with stopping us from attending Zoom lessons on time.

Helen, an international graduate student currently in Melbourne, was asked to download Okta Verify after an incident. She was confused as to why the University forced her to install it:

“Actually, it has no use, and I have no idea why I have to use this one to get verified,” Helen said. Helen also encountered a login issue on her Okta account and was annoyed by the long queue: “Twenty students were waiting … eventually I asked a friend to help reset my account.”

Problems with Okta Verify have increased the pressure on Student IT, especially when students buy a new phone or accidentally delete the application. While trying to overcome mental health challenges in lockdown, students have been dragged into the black hole of technical difficulties caused by Okta Verify. Stress, anxiety and frustration have been exacerbated during this disruptive time.

Why did the University implement Okta Verify to protect us from cyber threats?

The University has been investing in advanced technologies to counter cyberattacks for some time. Director of the University Cybersecurity Team, Amit Achrekar, explained the methods that the University has adopted:

“We have deployed multiple cutting-edge cybersecurity technologies, invested in automation, partnered with leading cybersecurity services providers and improved internal processes to help reduce cyber risks,” Achrekar said.

In selecting Okta Verify as the chosen MFA application, the University took into consideration its security performance. According to the University spokesperson, the University assessed the “cybersecurity, privacy, support, features, integration & compatibility, future-roadmaps, commercial offerings, terms & conditions” of the app before partnering with the company. As Director of Cybersecurity at Bugcrowd and Sessional Lecturer for COMP-90074 at University of Melbourne, Sajeeb Lohani, explained: “[The University] will be asking tailored questions to determine the security posture of the vendor (in this case Okta), ensuring they have performed their due diligence to keep your data safe and secure.” 

Another consideration is cost, which can be minimised through a third-party application. Lohani said that a professional third party, like Okta Verify, has more resources to provide multidimensional protection:

“Okta has a large security team, alongside a ‘bug bounty’ program, implying that they also use a ‘crowdsourced’ security solution. Thousands of hackers will be testing these products to get financial incentives to verify the security of their product.”

What can the University do to increase student acceptance of MFA applications?

The IT support offered by the University must be bolstered during the roll-out of Okta Verify. Providing 24/7 instant support, which recognises the ways in which issues with Okta Verify can prevent studying, is essential. The University should extend service time to meet students’ demand for IT assistance. In addition, overseas students should be allowed to access the internal learning system anytime and anywhere, given the online-only nature of their studies during lockdown.

Student feedback must be taken into account by both the University and Okta Verify in order to improve the app’s design, both on and off campus. Additionally, students must be well informed about any updates to the app’s functions, to ensure they knowledgeable about how to further protect their privacy.

More cybersecurity webinars introducing the use of MFA to students would also be beneficial. These webinars should aim to answer questions about cybersecurity policies at the University to relieve students’ concerns about data collection, privacy protection and further MFA developments.

The compulsory installation of Okta Verify has brought about new tensions between the University and its students. These tensions can be ascribed to a lack of mutual understanding: while the University must bolster its communication and IT support for students, students must also recognise their important role in defending against cyber-attacks. Moving forward, the University should further explain the function of its MFA policies and respond to the high demand for IT assistance. These changes may help Okta Verify receive more positive and sincere confessions of love on UniMelb Love Letters soon.

If students need any assistance related to MFA, they can contact StudentIT or call 13MELB.