Students will have to go through additional login steps to access their financial information on the University’s website starting Oct. 27.
Using the mobile app “Toopher,” developed by UT students in the Austin Technology Incubator, the personal financial information of students, faculty and staff will be inaccessible without an approval given on the phone app, said C.W. Belcher, associate director of Information Technology Services Applications. This process is a type of two-factor identification, a process requiring two steps to identify a person before viewing confidential information.
“One factor is knowledge,” said Mark Barber, assistant director of the University’s Financial Information System, at the Oct. 7 Student Government meeting. “You know your password, so you have your UT EID and your password, and you can sign on. Possession factor is something that you have on you, like your phone. Another factor could be something inherent to you, like your fingerprint.”
Users will first have to download the free app and pair their device with their UT Direct account using a password. Once the two are paired, every time two-factor secured information is accessed, it must be approved using the paired phone.
“If your password gets phished then everything you’re going to do on that account is open to whoever has your UT EID and password,” Barber said. “We want to make sure that we keep your financial information, in particular, secure, so we’re adding a second factor.”
Barber said in an email that a location feature will allow one’s phone to automatically approve the authentication process when in a trusted location, such as the user’s apartment.
Computer science professor Simon Lam said he likes the two-factor system because it is more secure. He compared the University’s process to banks sending text messages to get account information, which requires hackers to have your password and mobile device to gain personal information.
“If you just have a password, the password can be hacked or someone can guess your password,” Lam said. “Especially for people who use the same password for different logins.”
Mary Knight, associate vice president for financial affairs, said the new login policy is the result of an increase of Internet security risks on campus.
“Direct deposited paychecks were rerouted to other banks and resulted in financial losses,” Knight said in an email.
The new system was implemented in July for faculty and staff. Knight said nearly 10,000 employees have used the system successfully thus far.
According to Knight, currently only financial information — such as student emergency loans, W2 tax forms and banking information such as direct deposits — will require a second form of identification.
Belcher said this identification service could be applied to other areas in the future.
“Two-factor authentication may be expanded to other types of online services where inappropriate access would involve a high risk of financial loss, unauthorized release of confidential information, harm to the public or the University, civil or criminal violations or risks to personal safety,” Belcher said.
For non-smart phone users, there is an SMS-text option. Belcher said the University is developing an option for people without a smartphone.
“Later this week, we will be implementing an enhancement that will allow users without a mobile device to also use Toopher,” Belcher said. “With this option, users will generate a list of one-time passwords that can be saved or printed for use when accessing a two-factor protected online service.”