Do the Login Two-Step, But Read the Fine Print

Law Weekly Staff


The Virginia Law Weekly applauds the University’s recently publicized initiative to require two-factor authentication for all students and faculty. In the interest of providing the Law School community with the most complete information possible regarding this change, we conducted interviews this past week with Law IT User Support Manager Jason Bayers, Strategic Projects & Initiatives Senior Project Manager Dale Dew, Information Security Liaison Stacey Sties, and Chief Information Security Officer Jason Belford. The Law Weekly thanks them for their attention to our concerns. This statement summarizes certain relevant findings, based in part on our meetings, and presents the Law Weekly’s recommendations to the Law School community and to UVa Information Security going forward.

Why the change?

According to CISO Belford, the move to two-factor authentication has been in the works since the summer, 2015 hacking incident, popularly known among some in the community as “that time we got hacked by China.” In response to this incident, the University established a security enhancement program called SecureUVA. Details about this program are available at secureuva.virginia.edu. (NetBadge access required to view.)

The “two factor” in “two factor authentication” refers to systems which make authentication depend both on a password (“something you know”) and a secondary form of identification, such as a code sent to a pre-designated phone, an automated voice call, or a physical device. (“Something you have”). This secondary check reduces the risks associated with password theft or phishing. UVa Information Security is concerned that phishing poses a significant threat to the community and to systems, such as SIS, which protect highly sensitive financial data.

What should students do now?

First, enroll at https://2step.virginia.edu/ as soon as possible. The system which the University has selected, Duo Security, offers a variety of options to use as a second factor, but all users must designate at least one telephone number at which they can be reached. Users may elect to install the Duo mobile application, which allows for authentication by responding to a push notification. Privacy-conscious users should be aware, however, that the Duo mobile application contains features which may collect some potentially sensitive information, such as what other applications are installed on the user’s device. CISO Belford has informed the Law Weekly that UVa has not purchased a license to make use of those features and has no intention of ever collecting that kind of information on students; however, as other means of authentication exist which are similarly easy-to-use, it is entirely feasible to pass on the mobile application.

Second, generate a set of backup codes and store them in a safe place. If you lose your phone, you will need one of these backup codes to regain access to your NetBadge-protected services. Consider making use of an encrypted password vault to store your passwords and backup codes. KeePassXC (https://keepassxc.org) is one free and open-source, cross-platform option. UVa Information Security has informed the Law Weekly that they plan to provide UVa students with licenses to use a proprietary password vault system in the near future.

Third, remain vigilant against phishing attacks. Always hover over links you receive in emails before you click them, and make sure that they lead where they purport to lead. Never enter your password on a login page sent to you via email. Remember that the University will never ask you to send your password via email. If you suspect that you have received a phishing message, do not open it. Instead, forward it to abuse@virginia.edu immediately.

What remains to improve?

In the time that we have had to test Duo Security, it has proven to be a reasonably reliable and easy-to-use two-factor system. No system is perfect, however, and the Law Weekly has identified three points which we would like to bring to the attention of UVa IT Security.

1. As presently configured, Duo delivers a set of ten one-time-use passcodes all at once to users who elect to receive codes by SMS. Although this approach offers a marginal time and bandwidth savings, the Law Weekly is concerned that providing multiple codes in this fashion does not fully protect users against “shoulder-surfing”: a hypothetical malicious actor who video-recorded a student entering their password could also, just as easily, record them checking their text messages, thereby getting enough information to log in to NetBadge at their convenience. The Law Weekly recommends that UVa IT Security either reconfigure Duo to send only one code at a time or disable the SMS feature altogether in favor of the voice call option.

2. Having had the opportunity to test Duo’s support for FIDO U2F hardware security dongles (a.k.a. “YubiKeys”), the Law Weekly asks UVa IT Security to officially offer interested students and faculty the option of purchasing and making use of such devices. Although hardware dongles have limits—in particular, UVa IT Security has informed the Law Weekly that limited browser support contributed to their decision not to officially support YubiKey devices at this time—the Law Weekly feels that they could offer the UVa a robust and easy-to-use alternative to phone authentication.

A Yubikey, which provides an alternative token to phones for two-factor authentication. Photo courtesy Wikipedia.

A Yubikey, which provides an alternative token to phones for two-factor authentication. Photo courtesy Wikipedia.

3. The Law Weekly is troubled by UVa IT Security's practice of sending links to NetBadge-secured resources by email. Spear-phishing, in which the attacker creates a convincing-looking false login page that intercepts user credentials, relies on user complacency toward emailed links. System administrators, therefore, should not allow their users to become accustomed to using emailed login pages. The Law Weekly asks that UVa IT Security consider adopting a no-hyperlinks policy. In the instant case, by way of illustration, it would have been a far more responsible approach to simply instruct students to keep an eye out for the orange information box on the NetBadge login screen and provide an example of what that box should look like.

----

Editor@lawweekly.org