Welcome to the two-factor authentication
Passwords on the way out?
WUR will be introducing the two-factor authentication this year. From the Purchasing department to lecturers, all staff at the university will need to take an additional digital step to prove they are who they say they are. Is that really necessary? Five questions about this digital access code.
‘Hack the Future’ was the title of the cool ‘creathon’ that vocational college Aventus in Apeldoorn organized last year to get students enthusiastic about using big data for the healthcare sector. But precisely on the day that the creathon was due to start, they discovered the school had been the victim of a real hack: a fake account had been used to gain access to the student tracking system and their grades had been altered.
Such a hack is the nightmare scenario for every education institution but unfortunately it is still a possibility in Wageningen. WUR is attacked on a daily basis by Internet criminals.
You would imagine WUR would have sorted out its security situation.
WUR is very alert but you can’t arm yourself against every eventuality. The current system uses a password, which is incredibly insecure. The human factor is the problem. Despite repeated warnings, about 10 per cent of staff and students still fall for phishing emails. These emails that ask for your login details are becoming ever more sophisticated.
Many people enter their password, which gives hackers access to our systems. That is the commonest way for hackers to get in: 91 per cent of the attacks on the university start with a phishing email. WUR has conducted various campaigns to raise awareness among staff about phishing but it remains a problem.
WUR therefore intends to prevent identity fraud and protect sensitive data by rolling out two-factor authentication over the next year for key software applications. Two-factor authentication essentially means an extra check to determine whether the person entering the password is who they say they are. That is usually done by sending a text message to the phone registered in the name of the employee in question, but you can also use an app that generates a unique number, as in Internet banking.
A hack is still a possibility in Wageningen
But surely an extra step like that is annoying and inconvenient? People complain like mad about WUR Passcode, which you need to access your webmail.
You can set your phone so that all you need to do is press an ‘approve’ or ‘deny’ button. That isn’t that much work. On top of that, there is a guide on the intranet showing you how to install that app. That is the easiest method.
The second method is to use Google’s or Microsoft’s authenticator. That does not mean those software companies get access to WUR information. They use an internationally accepted protocol to determine a code using an algorithm. And you still have to enter your password.
The current system uses a password, which is incredibly insecure
Digital security tips
Against identity fraud: if you have to supply a copy of your passport, make the unique citizen number illegible and/or cover your passport photo. Write on the copy that it is a copy.
Password: change your password regularly, at least once every three months. A good password contains lowercase and uppercase letters, digits, punctuation marks and special characters.
Passphrases: Long, complicated passwords are difficult to remember, so use passphrases instead that you can recall more easily. Add punctuation marks and digits, and give hackers a real challenge.
What systems will get this form of authentication?
Ultimately, all the important applications where WUR needs to be sure of the identity of the person behind the computer. Webmail already uses the WUR Passcode and we will be extending this further in 2020. Staff may also have to use this method when entering research data or using financial systems such as ProQMe. We are due to get a new student information system soon that is also capable of using two-factor authentication. We can configure it, for example, so that staff have to prove they are who they say they are using their phones before they can enter or change grades. All staff with a WUR mobile phone number will have to use this method to log in. You need that phone because you are sent a text message.
What are the disadvantages?
One disadvantage is that you sometimes don’t receive the text messages, a phenomenon known as ‘fire and forget’. That is why it is better to install the app that lets you click on ‘approve’ or ‘deny’.
All staff with a WUR mobile phone number will have to use this method to log in
Will two-factor authentication be followed by yet another security method? Might we not need a password at all in the future?
You basically have three kinds of security: what you know (your password), what you have (your phone) and who you are (biometric authentication). Some security experts reject biometric authentication as they say it is susceptible to fraud and inaccurate. There are also privacy aspects that are unclear at present. That is why we haven’t gone for that option.
Leaks and hacks
The Aventus college hack in 2019 was not an isolated incident. These institutions also had problems or close calls.
At the end of 2019, ransomware was able to enter the Maastricht University network via phishing emails and then spread undetected. The hackers had been in the system for months when they went on the attack, cutting off access to key files and the back-ups. The university paid 30 bitcoins (200,000 euros) to regain access.
Various educational institutions
In January, a security leak in the Citrix remote access system gave hackers access to the networks of various educational institutions including Inholland, Fontys University of Applied Sciences, Leiden University and VU University Amsterdam. Employees were temporarily not allowed to work from home.
Universiteit van Antwerpen
In October 2019, ransomware was able to infiltrate the University of Antwerp’s systems via an old computer. The attack affected several servers, causing various applications used by students and staff to stop functioning. A spokesperson said no sensitive or valuable data was seized.