'I hate 2-Step': Students and ITS are at odds over HeelMail's 2-step verification

CORRECTION: An earlier version of the article incorrectly stated that one student has not been required to use 2-step verification. The student is registered for Heelmail 2-step and Duo. Additionally, the article incorrectly states that international calling plans are necessary to use 2-Step. This is not required. The story has been udpated with the correct information. The Daily Tar Heel apologizes for this error. 

A semester after the implementation of 2-Step Verification to log into UNC email accounts, many students are still not convinced that it’s useful.

2-Step Verification was rolled out by UNC Information Technology Services for use on the Microsoft Office server that hosts the University's email accounts. It requires users to log in first with their password and a second time through the 2-Step system.

The additional login takes the form of a text message, a phone call or a pop-up notification on a smartphone. 

“It takes too much time," said Tyla Gomez, a junior communications major. "I just want to get in and get out. I don’t even know what it’s for.”

According to the ITS website, 2-Step is used to provide additional protection from hackers. In July 2017, UNC experienced about 600 instances of compromised email accounts, said Dennis Schmidt, assistant vice chancellor and chief information security officer.

Often, people would receive emails from legitimate University accounts and provide login credentials that allowed an online phisher to steal information, Schmidt said. In one instance, a phisher accessed an email account and diverted a faculty member's paycheck to a bank overseas. 

ITS is pleased with the impact of 2-Step Verification, said Kate Hash, chief of staff and director of communications and policy for ITS. In November, there was only one compromised account, while in December, there were none, Hash added. 

“For us to go from hundreds of compromised accounts in a couple months to zero in December is huge,” she said.

However, in November 2018, campus lost access to Heelmail for almost the entire business day, impacting 50,000 faculty, staff and students who had 2-step verification. 

On Nov. 19, Microsoft experienced a worldwide outage for nearly 17 hours when their authentication services in Asia and Europe failed. Microsoft attempted to fix the problem by directing access requests through American servers, which overloaded the system.

ITS tried to mitigate the impact by temporarily enabling a series of IP addresses so users on campus would not have to validate with 2-Step Verification, however individuals off campus were still barred from their accounts.

The day after the outage, ITS sent an email to the entire UNC community acknowledging the incident.

"Our IT staff will work with Microsoft to understand more about the root cause and how the company plans to limit this risk in the future," the email read. 

UNC ITS contacted Microsoft after the incident. Hash said Microsoft agreed to provide more immediate and clear communication with the University as one of its customers.

Schmidt said that Duo and 2-Step Verification are the current industry best practice for protecting accounts, and UNC followed N.C. State and Duke University in its implementation.

Users set up 2-Step Verification by enrolling in the system for their Heelmail and registering a device for the secondary security login. Though this initial enrollment happens only once, users go through the additional verification step each time they log in.

Alternatively, users can select the option to stay logged in which appears when you first log in, Schmidt said. 

Everyone with a UNC email is required to use 2-Step, including professors, according to the UNC ITS website.

Ayanna Webster, a sophomore neuroscience and exercise sports science double major, sees 2-Step as a hassle.

“Sometimes I’m in class and my phone’s in my pocket, but I just need to look up something simple on my computer," she said. "I can’t do that without pulling out my phone and my teacher thinking I’m off-task." 

Hassan Melehy, professor of French and interim chair of the Department of Romance Studies, called the system faulty, citing a time he had to type in a verification code three times in a row before he could access his email.

“I got the code, I entered it correctly; I got the code, I entered it correctly. I couldn’t get in – to my own account,” he said. 

Class work can be affected by 2-Step Verification as well, sophomore Raven Selden said. 

“Sometimes the code doesn’t send to my phone, so I’ll be locked out of my email for a good hour and a half,” Selden said. “We had a room change for my interview, and I did not know because I couldn’t get into my email. I hate 2-Step.”

university@dailytarheel.com