At Berkeley Law, the IT department has been at the forefront of adopting CalNet 2-Step, a two-step verification system using Duo, that better protects institutional and personal data. Gabriel Gonzalez, Chief Technical Officer at the law school, took a few moments to share his experiences with 2-Step.
Berkeley Law’s IT services include a support desk, instructional support, software development, and a systems infrastructure group. Gonzalez stresses the importance of staying on top of privacy and security issues, particularly in the legal world where his group supports a wide range of users and functions. For example, Berkeley Law has legal clinics working on actual case law and has users traveling abroad who may encounter networks that do not meet campus security guidelines. Gonzalez and his team decided to implement two-step verification initially as a departmental pilot for staff who needed it most and then as adopters of the CalNet 2-Step.
“Two-step verification has become less of a thing that’s optional, and more something you have to do to keep up,” said Gonzalez. “It’s not just about the Law School adopting it - it’s about 2-Step being a success for the whole campus, because that helps us overall.” If everyone on campus adopts 2-Step, UC Berkeley would be a less appealing target phishers (hackers who seek to steal personal data). He compared the use of 2-Step to the benefits of herd immunity: reducing the risk of individual account compromise reduces the risk to all users and departments.
When encouraging his users to sign up for 2-Step, Gonzalez cites that it’s a great way to reduce phishing risks. He also points out that most people have already used two-step verification before, such as when logging into a bank account from a new computer. To help users grasp the personal impact of security risks, Gonzalez cites systems that are commonly utilized and contain critical personal data, such as CalTime, BearBuy, and Blu. He wants users to understand that adopting 2-Step isn’t meant to be a hassle, but rather to protect important personal information.
Gonzalez says he’s gotten a lot of positive feedback about 2-Step, particularly regarding the ease of self-enrolling by users who don’t have much technical knowledge. “I’ve been able to send out targeted messages to people and say, hey, you should enroll in this -- and people have been able to do this themselves. People want to be secure and appreciate learning how to take steps for themselves.” He did note that some users ran into issues when they wanted to enroll a YubiKey as their primary device rather than use a smartphone (to enroll a YubiKey, email firstname.lastname@example.org after enrolling your smartphone).
Gonzalez and his colleagues are also working to make CalNet 2-Step a part of the onboarding process so that new hires will sign up by default. “I’m really happy the campus put some funding into this to make it happen. I know it’s been a few years in coming and I’m glad it’s here,” said Gonzalez. “The more people using it, the better.”