Last week, Cornell University announced that several members of its community were victims of a phishing scheme. Using university IDs and passwords, hackers logged into Cornell’s payroll system and changed banking and account numbers for several employees so that direct deposits would be redirected elsewhere.

Cornell officials encouraged everyone who is paid by the university (faculty, staff, and students) to verify their financial details and strongly recommended — but did not require — everyone to begin using use a two-step login process. According to John Sack at HighWire Press, Stanford University has required two-step authentication since 2013 after it suffered a massive data breach.

Stories of cybercrime are so common today that they no longer make headline news. Unfortunately, university network security has historically been lax, reflecting the open culture of academe. At most institutions, a single login and password will get you access to your email, grades, human resource, and financial information, along with access to your library’s subscriptions. Last week, Jack Ochs described a sophisticated and sustained attempt to steal journal content from the ACS using compromised university credentials. I’ve heard personally from another publisher of systematic robot activity and would not be surprised that many publishers are the target of similar attempts to scrape and download their entire content.

All of the popular tools that we use everyday (Google, LinkedIn, Twitter, Facebook, WordPress, Instagram, among others) require two-step authentication when you sign up or attempt to change your account, and many offer it for everyday use. Personally, I find it odd that universities, who store data much more valuable than recipes, selfies, and cat videos are slow to require it — at least for individuals who are not physically present on campus.

While universities may not be motivated to change their authentication model for the sake of publishers, a stronger system will unquestionably make it harder for Sci-Hub and other future iterations of pirate websites to use compromised accounts to build their collections. For publishers, this is a a beneficial step. However, there may be an unintended consequence to adding another step to the authorization process. Off-campus users, who presently find their institution’s authentication process exasperatingly complicated, may be further driven from using authorized library resources. Adding more security to campus networks may unfortunately drive more authorized users into the shadows.

Universities have been very late to the two-step dance, but fashionably late may be better than not attending at all.