In response to a targeted March 2019 cyber attack on Oberlin’s admissions database, the Center for Information Technology will implement the password sign-on service Okta during fall break. Okta will augment Oberlin’s previous password system, ObieID, on Oct. 22.

Okta is considered a leader in login authentication and a well-known solution to data security. Its clients include JetBlue, 21st Century Fox, and Maryville University. Before deciding to use Okta, Oberlin also considered Duo Security, a two-factor authentication service owned by Cisco.

“One of the reasons we chose Okta was because it will allow us to automate the process of student account creation, which will make it possible for us to give new students their ObieID more quickly than we do now,” Chief Information Technology Officer Ben Hockenhull wrote in an email to the Review.

One of Okta’s primary features is that it will allow Oberlin to add further security measures, including multi-factor authentication. Multi-factor authentication requires two or more separate pieces of evidence to access an account. When a password is supplied the first time, the user will need to verify their identity. They can do this with a code sent via text, phone call, or to a secondary non-Oberlin email account. Oberlin is also currently looking into YubiKey, a physical USB security key product that generates a unique passcode with each use.

Students were first informed that Oberlin would use Okta in a Friday, Sept. 27 email from CIT. In the email, CIT Communications Manager Jacquelynn Gaines stressed the dangers of the current digital age and referenced the previous cyberattack. In March, databases controlled by the offices of Admissions and the Financial Aid were hacked, exposing student data to an unknown cyber attacker.

“We share and consume more data today than at any previous point in history,” Gaines wrote. “As data usage increases, so does the number of people attempting to make a living by stealing that data. Faculty, staff, and students at Oberlin have been victim[s] of phishing scams, data breaches, and compromised passwords, and those threats are constantly increasing.”

At the moment, the College is engaged in a testing process prior to implementing Okta. It is a relatively self-sufficient system and is running without the need for additional staff members or constant maintenance. Seven months have passed between the cyberattack and the announcement of Okta’s implementation.

“Okta was supposed to be implemented last semester, as far as I know,” said CIT help desk consultant and College third-year Michael Liu. “I was told there was some bug in it, but they were working on it over the summer.”

Despite the new security measures, CIT recommends that students also take online security into their own hands.

“The reality in 2019 is that we live in a world where data is currency, and everyone’s personal information is continually at risk,” Hockenhull wrote. “It is necessary that each person develop their own personal cyber security practices, even as CIT continues to focus on institutional cybersecurity.”

These practices include never using the same password twice and creating passwords — or passphrases — that are harder to crack.

“The longer your password is, the longer it takes a computer to randomly guess it, letter by letter,” CIT Computer Systems Administrator Chris Mohler said. “So if you had a passphrase, instead of a password, it would be much better.”

Although future cyber attacks still pose a risk to educational institutions like Oberlin, the Okta password service will be updated and improved periodically to avoid such breaches.