UU sympathetic to calls for 'smarter' two-factor authentication
For a couple of years, IT safety is ensured at UU by the so-called two-factor authentication, also known as 2FA. This system requires students and staff to use their mobile phones to confirm their identity whenever they request access to certain parts of the university infrastructure, such as their e-mail, study progress report, or Blackboard.
According to a group of computer science students, this process can be made smarter to improve user-friendliness. They have proposed a method that allows UU students and staff to indicate which devices they trust. Then, they would only be required to use 2FA to log on to these trusted devices once a month. To ratify their proposal, the group has started a petition.
It looks like many students are indeed bothered by the inconvenience of the current 2FA method, as the petition gathered 1,500 signatures on the same day. Now, the number of signatures is at about 2,000. According to Evan Handgraaf, one of the initiators, this shows not only how annoying 2FA is, but also how the inconvenience is underestimated. “I often don’t have my phone on me when I study so I don't get distracted by WhatsApp, for example. But if I want to log in on Blackboard, then I have to go and get it. When I unlock my phone screen, I also see all my WhatsApp notifications. Then I get distracted and before I know it, half an hour has passed.”
Evan says that many of his friends experience the same problems. Talking about this to a friend who studies in Eindhoven, he learned that the Eindhoven University of Technology has a special "remember button" which decreases the number of times students need to log in. “That is where we got the idea,” explains Handgraaf, who has already sought contact with the university. UU is sympathetic to the idea. “Next week we will talk more. The more signatures we have, the clearer our argument will be.”
Simon Kort, a Security Operations Coordinator working in the Information and Technology Services department, agrees that this is an idea worth considering, which is why he encouraged the students to come and talk to him first. He says that, when it comes to ICT security, one always has to weigh user-friendliness and safety. According to Kort, ITS is willing to verify if it's feasible for UU students and staff to only use 2FA on some devices once every thirty days — however, that would only happen with systems the university does not deem sensitive. ICT security is already taking user-friendliness into account in certain instances, such as the Intranet, which does not require 2FA from UU employees.
According to Kort, a lot of changes and new measures have been implemented in recent times which have made UU's ICT infrastructure a lot safer. 2FA, for instance, lowers the risk that leaked passwords from students and staff get used by hackers to invade the university infrastructure. The advantage is that the ICT security team can relax some of the rules. Since March 2022, for instance, UU students and staff only need to change their passwords once a year, instead of twice. “It's never our intention to be an obstacle on purpose.”
Students and staff interested in signing the petition can do so here.