The shifting view of two factor authentication at the university

September 26, 2021

Back in 2016, I wrote an entry about how we'd never be able to have everyone use two factor authentication. Recently, the university (and thus necessarily my department) is moving to make two factor authentication required. Given this, you might wonder what happened between 2016 and now, five years later. The simple answer is changing attitudes on smartphones, or if you prefer, a view that two factor authentication is sufficiently important that the administration is willing to force people to go through pain.

Now as in 2016, the fundamental political problem of two factor authentication is that you need a device to be the second factor and this device has to belong to someone and be provided by someone. If the organization has to provide a device to any significant number of people, life gets expensive fast. In 2016 I wrote about this, as an aside:

(We cannot assume that all people have smartphones, either, and delegate our 2FA authentication to smartphone apps.)

The political answer here in 2021 is that we are now assuming that people like graduate students have personal smartphones and can be required to install an authenticator app on those smartphones. For most people, if they don't have a personal smartphone (that they're willing to use for this), the university's answer will not be to provide a hardware two factor token at the university's expense, it will be to shrug and tell them to get one, even if it's a cheap old one that will only be used on wifi networks.

It's my guess that this political answer is feasible because as a practical matter people mostly have smartphones and mostly have become acclimatized to using them for non-personal purposes like stuff involved with being a graduate (or undergraduate) student. Many people read their university email on personal devices, for example. By comparison to some entanglements, an authenticator app is nothing special, and smartphones actually have a decent reputation for limiting what apps can do (much more so than regular computers).

There's also the technical answer that the various things enabled by not having two factor authentication are becoming more and more damaging in various ways. Since 2016, computer security has utterly failed to significantly prevent or mitigate the damage of password compromises in any other way than making passwords by themselves useless. Forced two factor authentication is not the best solution, it's simply the last solution standing, and something has to be done.

(As a necessary disclaimer, I have no specific information on the university administration's decision making process here. I do know that we're increasingly concerned about the damage that phishing and so on is doing.)

Comments on this page:

Those TOTP apps are usually vulnerable to phishing and MITM attacks, unlike a FIDO2 U2F token that verifies the server. Why not issue everyone with a Yubikey 5C NFC or similar?

By Ruben Greg at 2021-09-27 05:07:11:

Well done and congrats to your administration.

By Michael Kohne at 2021-09-27 05:34:58:

The Uni doesn't want to supply U2F tokens because they cost money. Beyond the initial cost, you've got to have replacements on hand to deal with lost/damaged tokens, and someone to hand them out as needed/authorized.

That's a total pain in the ass, while TOTP give most of the benefit of two factor, and if the student loses/kills their phone it's not the Uni's problem.

-- Michael Kohne

From at 2021-09-28 12:51:25:

forcing people to have smartphones is not the answer

Can a student buy a cheap hardware token where they type in the TOTP secret once, and from then on just push a button to get the current 6-digit TOTP value ? Do such devices exist ? I tried searching for some, but the number of features and limitations of these devices is confusing. Some exist where the TOTP secret is hardwired into the device, not programmable by the user; I don't know if that would be acceptable to the university.

By cks at 2021-09-29 17:15:35:

Beyond the question of hardware availability, I don't know if the university is set up to provision things for such user purchased tokens. The university does provide OTP tokens to some people, but they're provided centrally and have a complicated provisioning process (and the university is probably not set up to let people pay their own money but buy them through the university, although I haven't checked).

Written on 26 September 2021.
« Notes on updating OpenBSD machines to current, supported versions
Stack size is invisible in C and the effects on "portability" »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Sep 26 23:15:45 2021
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.