With the change over to our new password reset system I have had several emails from people voicing concerns over using the Microsoft Authenticator app. Although most of you have now installed it, I thought I would explain it in a little more detail, to hopefully alleviate the concerns of those who haven’t yet.
The Microsoft Authenticator app gives us zero access to people’s phones, and doesn’t do anything like location tracking or collect information from your phone. We can’t exercise any control or have any visibility into the phone’s use or it’s contents through this application. The only thing it does is deliver a code to you when you open the app. This code is generated by Microsoft, and is a way for the system (not us) to verify that the person changing their password is the person attached to that user account and not a hacker. This is known as two-factor authentication (TFA), which many financial institutions, social media sites and others are using as a means to help verify identity. It provides us with a line of defense against hackers compromising peoples accounts, and hopefully will help us avoid some of the major compromises (ransomware, personal data theft, etc.) that has hit Canadian educational organizations over the last few years.
Your should also be aware that this app consumes very little data, so it won’t affect your bill. It is not the same as a text message. It only uses a tiny bit of data when you open the app to get the code, so tiny it’s almost immeasurable. Plus you will only need to use it when you change your password (once every three months-ish) or unlock your account.
If you don’t want to use the app or don’t have a smartphone, there is the option to use an alternate email address to get the code. We would prefer if people didn’t use this option for two reasons. If you need to use a school division computer to access your personal email to get the code, you may not be able to if you are currently locked out. Also, we have found that when people’s GSCS account gets compromised quite often their personal email accounts are compromised as well. This enables hackers to intercept the code and the change of password.
The interesting thing about compromised accounts is you are usually completely unaware. Hackers are very good a hiding and covering their tracks. To give this some perspective, on any given day we have 200 to 400 compromised and high risk accounts. High risk accounts are ones showing unusual activity. An example of what we will typically see with these compromised accounts: you will be logged in at your school and at the same time you’ll be logged in from Russia. Whoever is at the other end (in Russia or other countries) will be reading all of your emails and accessing data that you have access to. This data could be your paystubs, student data that you have access to or any other GSCS data source you can access. Sometimes the hackers will even elevate your privileges without you (or us) knowing immediately, giving them access to even more systems in our school division. This is a very serious threat, not only to privacy but potentially with financial ramifications if they could access your financial information, social insurance number, etc.
I hope this email addresses of your concerns about the Authenticator app and why we are making these changes. We are only implementing security systems to try to avoid a major security incident striking our school division down, as we have seen happen to others across the country and in our province over the last short while. Education is a prime target for organized crime over the last four or five years, and the intensity of this activity has been increasing aggressively. The changes we are making are designed to protect you, our students, and, our data and systems. As we are doing this, we are carefully selecting processes that are the least invasive to you.
