Last week, the university enabled multi-factor authentication (‘MFA’) for students. It already did so for employees, and will do so for guest accounts. This – in principle laudable – move is driven by a series of security incidents at universities and universities of applied sciences. A great step, considering the internet becoming a more dangerous environment every year. However, I think we still haven’t found our key to (user friendly) security.
For one, the password policy itself – which hasn’t changed – irks me. Among others, the current policy in TAP is ‘bullshit’, very ASCII centric (what’s wrong with ‘ë’, ‘ß’ or even ‘森’), and allows for short passwords. Another irk is that the university forces you to renew your password every year, for no good reason. There were times where that was recommended by government institutions, but they have since changed their minds. The user experience of this approach is also bad: it irritates those who use password managers, while encouraging small changes in short passwords for some users. That doesn’t sound very secure, does it?
The user experience of the app-based MFA isn’t great either, and you run into it more often. Suppose you put away your phone, to study without distractions, and want to log into some UT asset – only for it to ask you for an MFA token. You sigh, and go get your phone. Assuming you’ve properly secured your phone (no swiping!!), you have to log into that first, and generate the token, and only then you can finally log in.
Luckily, some smart people came up with a solution to this hassle. Their key to security was: security keys! These are small USB devices, which you plug into your computer or touch the back of your phone with, touch a button and/or maybe enter a pin (depending on how everything is set up), and then that’s your second factor. You can put these on your key chain (like I do), or just leave them in your computer. And they aren’t super expensive either.
If you think ‘this sounds great, I want this!’, I have good news for you. While the university didn’t mention this option in their communication, they didn’t disable it either – and they definitely shouldn’t! I’ve tested this with my own security key, and I wasn’t even asked for my password! (Don’t worry, it’s still secure: it’s called passwordless.)
Sadly, there’s a bug in my regular setup which currently prevents me from using it for UT assets, but that shouldn’t apply to most of you. So I hope that the university will more openly support this option, and that it and/or the study associations will use their collective buying power to buy them in bulk and provide us with (relatively) cheap keys to our secure and user-friendly kingdoms. But, before that happens: go forth, lengthen your passwords, put them in password managers, and use this extra bit of security (be it the app or a key) for all your other online accounts as well.
Just remember: you are part of the key to internet security too.