OPINION: Two-step verification long overdue
In the last weeks of the spring semester, over 300 student accounts were compromised by a phishing campaign. Over the summer, students were sent a flier telling them that two-step verification would become mandatory on all email accounts in the coming semester. It is unknown whether these two events are directly related but the timing seems appropriate.
Two-factor authentication (TFA), also known as two-step verification, is a way to confirm the identity of someone logging in by asking for a second set of confirmation. This is the same reason why banks, airports, and the DMV ask for several documents proving who you are. One document might be fake so getting multiple fake documents makes things harder. From a cyber-attacker’s perspective, this means that they could know your username and password, however, if they don’t have access to your phone, then they cannot access your account.
It is hard to overstate how amazing that is. What will seem like a silly and annoying step for students is actually a cutting-edge cybersecurity solution, required by the government for federal agencies. First, security professionals are constantly worried about the risk of one important user with a terrible password or one that accidentally leaks it. TFA solves that problem by no longer hinging security on only two bits of information, and by requiring everyone to do it. Second, this shifts the burden of security from the students to technology. Not all students are perfect, and that is the problem, it only takes one. Think of it this way, the 300 affected students represent only 1.6 percent of the 19,000 enrolled. That means even when over 98 percent of students do the right thing, it still not enough. TFA allows students to have weaker passphrases and a more secure environment.
While you will find no shortage of praise from me about this move by the university, it is frankly the absolute least they could do. Aside from email, all private data that a student has access to can be viewed by an attacker with just a username and password. This includes all demographic data, (DOB, SSN, Addresses, Phone numbers) Financial Aid, (TAP, Loans, Grants), and all course data from Blackboard. This data remains more vulnerable is more important than email messages to the privacy of students.
This leads to the logical question, why doesn’t the main university portal have two-factor authentication? This would give a layer of needed security in front of all university-run webapps. The answer of why not is not a technical one; there are plenty of solutions that will integrate even with authentication protocols that should have died like some bad 90’s hair trends. If it is a social block, at the very least let student opt-in to such a program. This would let ITS test the program for bugs before a full roll-out and gather popular support.
The reality is that most organization will not take steps to protect themselves and their users until after something bad happens. Let me be clear, the university will be hit again. That is the nature of operating a university, let alone one with R1 research data. It is unclear whether ITS plans to expand the scope of this TFA program, and it is unclear whether they have the political/social capital to do so before the university is hit again.