The standard edition of the system costs $1 per user, per month, and uses a mobile app as the security token. A more robust version costs $3 per user, per month, and includes physical PassKeys, as well as two “service keys” (master keys). These costs include all onboarding services for setting up the system, Texeira said.

If users lose their PassKey, they can go to a self-service EduLok portal to deactivate this token, and campus administrators would issue a new one. There is no personally identifiable information contained within a PassKey, Texeira said—and a thief would have to know the user’s PIN in order to use it.

Paul Howell, chief cyber infrastructure security officer for the Internet2 initiative, called EduLok’s fragmentation of data “an interesting approach.” He noted that Google uses this approach to secure the data stored on its servers as well.

“If a server is compromised, and only parts of a file are there, then you don’t risk revealing the full contents of the file,” he said.

But this approach also raises important questions, Howell said. For instance, some researchers have contracts forbidding them from exporting their findings outside the United States. Would those stipulations apply to data encrypted and stored in overseas servers?

EduLok’s approach also raises questions about data sovereignty, Howell said. When data are stored on U.S. servers, we would expect U.S. law to apply—but when information from an American institution is stored on a server in another country, “whose laws apply?” he asked. “And, could that affect the confidentiality of the information?” This is an unsettled area of the law, Howell said, but “it’s something to track and be aware of.”

As for multifactor authentication, Howell said this practice is growing among higher-education institutions. Internet2 offers “above-the-cloud” services for colleges and universities that include multifactor authentication, such as a two-factor authentication system from Duo Security of Ann Arbor, Mich., that gives users a choice of what kind of token to use.

Howell said the key takeaway from EduLok’s system is that it adopts a “layered” approach to data security, using multiple technologies and processes to protect sensitive information.

“There is no silver bullet to data security,” he said. “I don’t look at these two approaches as necessarily better than any others.” But any kind of layered approach gives campus administrators a better chance of safeguarding their data, he noted.