Oberlin's Okta Verify 10 Hour Update: Cyber-Secure or Cyber-Bore?

2025-12-02T00:00:00.000Z

By Stevin Wallace, Ben Logan

Oberlin students Ben Logan and Stevin Wallace, investigate Oberlin's abrupt change in Okta Verify’s time frame, from weekly to only 10 hours. Through conversations with faculty they discover exactly what caused Oberlin's CIT department to make this change.

Spotify

Download MP3

Image for Oberlin's Okta Verify 10 Hour Update: Cyber-Secure or Cyber-Bore?

Mics are set.

Cool, cool, cool. Lemme just uh, go to the script. Ah, dang.

Okta Verify.

Yeah, it's asking me to put in the password.

All right. Where's my phone?

Are you good now?

Yeah.

Okay. Let's start.

Hello. I'm Stevin Wallace. And I'm Ben Logan. And today we're gonna be diving into the recent Okta Verify update on Oberlin Campus.

Okta was introduced at Oberlin in response to a 2019 cybersecurity attack on the Office of Admissions and Financial Aid database; the group of hackers used a flaw in the Reset your password feature of OC Pass to gain information about prospective current and former students who enrolled during or after fall 2014. This flaw has since been fixed and in October of the following school year. Oberlin opted for a new security system, Okta Verify.

The prime feature of Okta is two factor authentication. What this means is that in order to log in or change a password, you need two or more separate pieces of information. Often these two pieces are a password and a code from a phone app like Google Authenticator. This dual check makes it even more difficult for hackers to break into accounts, but it also means that users have extra steps when accessing their own accounts.

Recently the Okta login has been updated to a noticeably shorter timeframe of every 10 hours.

In order to understand the logic behind this updated Okta timeframe, we talked with computer science professor and tech ed committee leader Stephen Checkoway. The Ed Tech Committee is a group of deans, faculty and staff that meet to discuss all of the technology related policies before they're passed.

Checkoway gave us some insight on the events that led to this authentication change.

This was in response to an incident where someone was able to gain access to, an employee's payroll account. And my understanding is that the way that they did that was they had their password and they had , started the login attempt and because of the multifactor authentication that was in use, Okta was pushing a notification to their device, they did this over and over again until the person just agreed to, log in and stopped getting notified. And that had the effect of giving whoever did this access to their account and they were able to change their payroll information. And so this change to 10 hours was instituted in response to that.

Do you think that helps with that specific circumstance?

This was something that came up in one of the meetings the faculty have with CIT– it's the Ed Tech meeting. And CIT does not believe that this would've prevented the attack either.

Checkoway also explained how the choice to update the authentication timeframe did not follow ed tech committee policy.

I do know that there's a change to the 10 hours was not discussed with anyone outside of CIT. This was a unilateral decision, which. As far as I can tell it runs contrary to the policy that they're supposed to discuss these sorts of changes with the ed tech committee who was supposed to have input into these decisions .

When asked for a comment on the recent update, members of the Oberlin computer and information technology team either did not respond or directed us to the communications office.

Professor Checkoway recommended we talk to visiting computer science professor Noel Warford, whose PhD is in the subfield of human centered security. According to the National Institute of Standards and Technology, human centered Security focuses on the social influence and organizational side of online security.

Yeah, so I've used a number of different authenticator apps. My old institution in Maryland used Duo. I was using Google Authenticator here for a while. uh, As far as Okta is concerned, I think there are very few cases where like an average Oberlin student or Oberlin faculty member or Oberlin staff member would have a scenario where the guarantees that Okta provides would not be useful enough to protect their accounts in most cases.

And why would an institution like Oberlin go to such lengths to protect students and staff from these alleged internet bad actors? Well, it turns out that Oberlin has a lot more of your private information than you may think.

As far as I understand , other things that Oberlin would have access to, student records are protected by law under FERPA. Also, if you are doing something at student health, your health data will be protected by HIPAA.

If you make payments or are paid by the college, then you have data on your banking information and social security number. Suffice to say the Oberlin Okta system protects a lot of your private information.

Okta Verify can feel like an unrelenting burden. What was once a weekly hassle has become a daily one, and for an institution that holds the detailed private information of thousands of staff, students, and alums. Strong cybersecurity should be very important, but this increase in Okta verifications doesn't even address the original issue of a college employee logging into an account just to get the Okta notifications to stop. It actually increases this annoyance. Having a shorter authentication cycle may be better for long-term cybersecurity, but it's a decision that affects all students and staff and these issues might have been prevented if the decision had followed policy and gone through the ed tech committee.

Thank you to Professor Steve Checkoway and Professor Noel Warford for allowing us to interview you.

Sources:

Article when they first implemented OKTA:

Cit- https://www.oberlin.edu/cit/bulletins/okta-password-self-service-enrollment-begins-tomorrow

Review-

https://oberlinreview.org/19641/news/new-password-service-okta-promises-to-reduce-vulnerability-to-cyber-attacks/

Cyber attack in 2019

Official statement link: ERP: https://oberlincollege.sharepoint.com/sites/CIT/SitePages/ERP-Optimization.aspx

OKTA: https://oberlincollege.sharepoint.com/sites/CIT/SitePages/Gmail-Security-Enhancement---Stay-signed-in-safely-for-10hrs.aspx

Random background on them implementing it:

https://www.oberlin.edu/cit/bulletins/enable-okta-multi-factor-authentication-chance-win-smartwatch-0

https://www.nist.gov/blogs/cybersecurity-insights/learning-sharing-and-exploring-nists-new-human-centered-cybersecurity