Prevent identity theft: ETH’s new MFA-SSO project

Mult-factor authentication (MFA) may be an unwieldy term, but with the introduction of MFA, IT Services are significantly increasing security in central web applications. The comprehensive introduction of MFA at ETH Zurich is planned for the second half of the year.

Search here on the ITS Blog for the matching picture as the solution to our crime scene.
Search here on the ITS Blog for the matching picture as the solution to our crime scene and send us the solution via email. We’re raffling off three YubiKeys, which you can also use as an MFA solution, to those who provide the correct answer.

Passwords have long since become an integral part of our everyday lives. After all, everyone needs countless different passwords in their digital lives. They provide access to user accounts in all possible areas of life: from streaming services to email to online banking.

A password is the first line of defence against criminals trying to gain access to a user account, and, if multi-factor authentication is not enabled, it is often the only protection. Once this hurdle is overcome, however, criminals have unrestricted access to all data stored in the account in question. And once they have successfully broken through, they can also try to exploit technical vulnerabilities in the affected system to gain even more extensive access rights.

Nowadays, threats are also posed by phishing and ransomware attacks. Attackers deceive users in an attempt to obtain their login data. For example, they send out phishing emails that ask users to enter their password on an (obviously fake) website. For this to work, the website usually looks deceptively real. But phishing also works over the phone. In this case, an alleged customer support might ask for the login data for a certain account. Once they have obtained it, these criminals can gain access to data and encrypt it or ensure that regular access no longer works, allowing them to demand a ransom for the data’s decryption or release.

Multi-factor authentication creates more security

In addition to a password, logging in with multi-factor authentication also requires a second login confirmation. This is generated in the form of a one-time password (OTP). This OTP is generated in an authenticator app and is only valid for 30 seconds. This method makes the login process a little more complicated, but leads to additional security. For this reason, all cloud services and web applications operated centrally by IT Services will be connected to the MFA solution in the future.

Use of MFA still in need of improvement

In a recently published study on MFA use, it became clear that a “large part of the Swiss population already has an awareness of secure internet service use”. At the same time, however, there is still a lot of room for improvement, explained the head of the study, Thomas Uhlemann, security expert at Eset in an interview with the trade journal IT Magazine. Almost half (48 per cent) of the more than 1,000 respondents use an additional factor besides their password to protect their access data: 14 per cent for every online service and 34 per cent for some. However, this contrasts with one-third of the population who either never use MFA (11 per cent) or don’t even know what it is (19 per cent).

Time to leave your comfort zone

“We should leave our digital comfort zone now,” recommends Urs Spätig, Project Manager of MFA-SSO. The activation of multi-factor authentication for all employees and students is planned for the second half of 2022. Initially, this will take place for the central cloud applications such as Microsoft 365, Google Workspace, Adobe Creative Cloud and Zoom.

“This will significantly increase the security of web applications. However, we have to negotiate the conflicting priorities of security and user-friendliness.” If usability is compromised too much, users will look for workarounds, there will be rejection in the organisation and this will compromise the initiative’s effectiveness. Therefore, IT Services will implement a solution where a new OTP is requested at regular intervals, but not for every login.

Crime scene solution

In inside|out newsletter no. 28, we asked you to find the solution. Please email us the solution to insideout@id.ethz.ch.

Davor Kupresak, Andreas Müller, Urs Spätig and Anja Harder (left to right) are the ITS faces behind the hooded men and reveal the solution: "4-4 Security"
Davor Kupresak, Andreas Müller, Urs Spätig and Anja Harder (left to right) are the ITS faces behind the hooded men and reveal the solution: “4-4 Security”

Posted on
in IT-SEC,News Tags: ,,,,,

1 comment on «Prevent identity theft: ETH’s new MFA-SSO project»

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.