UU uses 2FA for more programmes: ‘Secure log-ins are absolutely vital’
“Can we talk about how annoying the 2FA for Osiris and Blackboard is now? Whatever happened to logging in without accidentally opening that WhatsApp convo again (…) because you’re waiting for the blue pop-up of terror? (…)”
The complaint above was part of a funny post on Facebook page UU Confessions earlier this year. It expressed a sentiment shared by many UU students. The message was posted one day after UU had made two-factor authentication mandatory to access the virtual learning environment Blackboard. The double log-in method was already required to access the study registration system Osiris.
Distracting phone
Students who want to view their grades or workgroup assignments can no longer simply log in with their username and password. Now, they also have to use an app (which shows blue notifications) and a PIN code or text message code to confirm they are who they say they are.
That’s both cumbersome and distracting during study sessions, said student members in a University Council meeting. Many students put their phones away before studying as a means to avoid distractions, the council members explained.
Carol van der Palen, Deputy Director of the IT department, explains that 2FA doesn’t necessarily have to be annoying. He recommends students to think about the programmes they're going to use before they start working, and make sure they're logged in to all of them beforehand. Then, you can put away your phone – preferably set to ‘Do not disturb’. “You don’t have to keep it in your hand at all times”.
UU's information campaign about 2FA tries to paint a happy picture. "Protects your data and the university's", says the voiceover. But of course the Deputy Director acknowledges that students and employees may find 2FA inconvenient.
That’s why he wants to explain the importance of the 2FA process. “We’re trying to reduce the number of additional actions as much as possible. But even if you needed a 2FA code ten times a day, it would still cost you no more than a few minutes a day, for your and everyone else’s safety”.
Piece of cake
Last year, after Maastricht University fell victim to ransomware, which shut down all its IT systems, the UU rushed to implement the two-step login system. Van der Palen estimates that 96 percent of students and employees have installed 2FA. The number of users went from 4,000 to over 45,000 in 2020.
Van der Palen is happy with the development. The dangers of not using 2FA are great. The e-mail addresses of students and employees can be found easily. For criminals, it’s a piece of cake to collect them and then run large password files on them, he explains. In an in-house test with "weak" passwords used often, 14 accounts of UU employees came up, including a professor’s account.
The deputy director also refers to data from Statistics Netherlands showing that, last year, 1.2 million Dutch people fell victim to digital crimes. Relatively often, the victims are 25 years old or younger.
“Regard the university like a skyscraper. Once thieves have made it past the main entrance downstairs, they can take their next step and end up opening your front door. With the Solis data of students or employees, criminals can’t just access the personal data of the person involved, but they can also go look for more valuable information or more access rights. That can be done by impersonating someone, for instance. There are tons of examples of that”.
Logging in again after 30 minutes
Van der Palen says most students and employees understand his message. The recent hacks at the University of Amsterdam and Amsterdam University of Applied Sciences, Inholland and NWO clearly demonstrate the risks educational institutions run of losing data or being held hostage.
The questions posed by the students in the University Council focused on minimising the inconvenience for students when using 2FA. Is it really necessary to log in again after being idle for 30 minutes?
Van der Palen replies: “Unfortunately, it isn’t possible to allow them to stay logged in for longer: the risk becomes too big. If someone goes out to lunch and leaves all his software open and accessible, that’s a potential risk. We don’t leave our front doors open anymore either, do we?”
And then there’s the long recovery code students need to keep safe after signing up for 2FA. They need that code if they buy a new phone or lose their phone, and have to reinstall 2FA.
Students are used to requesting new passwords online for everything, but that isn’t possible in this case. They have to show their ID – although it’s possible to do that through a video call on Microsoft Teams. The university is looking for alternatives to the recovery code, but hasn’t found any yet. “We have to be sure that we give that code to the right person. You have to prove to us that you really are who you say you are.”
Not to annoy
On March 23, yet another lock will be added to the door. From that day on, double authentication is necessary for all Office 365 applications: Word, Excel, Outlook, and MS Teams. Any new software the UU approves will also require 2FA. Amidst a pandemic, with most employees working from home and most education taking place online, the demand for new software is high.
“It isn’t fun, but unfortunately it’s necessary”, the deputy director says. “We’re not doing this to annoy students and employees”. Moreover, students and employees are encouraged to switch from 2FA via text message – if they’re currently using that method – to 2FA via app. The costs of all those text messages were huge in the past few months, because students and employees working from home were using it more and more. Van der Palen says the cost was up to 200,000 euros annually. “That’s a lot of money and there are much better things we could do with that sum”.
Phishing professors
Two-factor authentication is part of the already existing programme SecUUr, which aims to improve digital security. This isn’t just about technological interventions and check-ups to make the university’s IT environments less vulnerable: it’s also about raising awareness among students and employees. “The greatest danger is still the one sitting in the desk chair”, says Van der Palen.
For that reason, the awareness campaign Switch On Security was launched late last year. It stresses the importance of 2FA, safe software, and updating that software on a regular basis. Students and employees receive advice showing that working safely doesn’t have to be difficult or burdensome.
Moreover, employees have to keep an eye out for suspicious emails. UU's spam filters manage to ward off the vast majority of suspicious messages. Some great improvements have been made in the past few years. Van der Palen: “No more than 10 percent of the emails addressed to you are real. The rest is garbage”.
In October, however, it became clear that things can still go wrong. Multiple professors thought a phishing e-mail was real and entered their Solis data. That almost led to their salaries being deposited to a different bank account. Thankfully, one professor who doubted the authenticity of the e-mail warned others in the nick of time.
“Those emails look so real these days. They used to be written in poor Dutch, but those times are long gone. It’s not a question of whether you’ll fall for them, but rather when you will”, warns Van der Palen.
“We’re doing all this to protect personal data and university data”, he concludes. “Think about what it would be like if you’re the one who has to explain that your carelessness led to the entire university being taken hostage. We really have to do this together”.