Several days ago the Office of Information Technology (OIT) notified the student body through an email that simple user/password logins would be replaced with a user-registered authentication key. Their idea is to improve security through increasing the number of physical devices that must be compromised before access to Notre Dame online services (such as email, cloud storage, etc.) can be misused. At face value, the idea makes sense, until you think about the situation carefully.
OIT is using two-factor authentication to solve advanced persistent threats. These threats rely on phishing to attain stolen logins and passwords. In a phishing attack, the user is required to make some sort of mistake in the form of clicking an unknown link or sharing sensitive information with the wrong entity. Two-factor authentication doesn’t solve this problem, it just increases the number of devices which must be compromised from one to two. In truth, users which can be drawn into clicking bad links or sharing sensitive information are also capable of compromising their accounts on multiple devices. The real solution to this problem is education-related. Only when users become well versed in detecting phishing attacks can these types of breaches actually be stopped.
More worryingly, OIT has made a technology decision on behalf of all the users of Notre Dame’s online services. They have decided that all users have access to a smartphone, tablet or landline when accessing Notre Dame online services. First, what an assumption! How did they reach this conclusion? Was a survey conducted? How many users do not fall into this category? The data to support such a decision is suspiciously absent. Second, why is it acceptable for a support organization, like OIT, to dictate how much security is needed for each individual? Many users have had no problems using Notre Dame services, but could be hampered by the new login process. By imposing their will, they are overstepping their purpose. Instead of a support role, University operations are being altered — potentially rendering some services inaccessible.
The core issue with IT infrastructure is a trade-off between security and usability. A 100 percent secure IT service would be completely useless, while a 100 percent usable IT service would not be secure. Rather than letting users decide how much of each trait is really needed for their situation (by offering a series of solutions), OIT has already reached a misguided conclusion. No one would accept an OIT imposed decision to use Android over an iPhone or Windows over macOS. This situation is fundamentally no different. OIT should support, not decide the selection and use of technology for the university.
It is not difficult to imagine a scenario in which a user does not have access to their second authentication device, or its battery is dead. Since no data has been referenced during this transition, it is reasonable to conclude they either do not have or do not care about the number of instances users will be unable to access key services due to the change in the login process. At the very minimum, OIT should make two-factor authentication opt-in until they have demonstrated a knowledge of how many will be adversely affected and provided an effective work-around.
Don’t worry, however, if your usage of online services does not fall under OIT’s outrageous assumptions. For the low, low price of $20, they will sell you guaranteed access to the services you were already using for free.
Jeremy Hershberger
Ph.D. student
Nov. 16
