Prevent identity theft: ETH’s new MFA-SSO project
Mult-factor authentication (MFA) may be an unwieldy term, but with the introduction of MFA, IT Services are significantly increasing security in central web applications. The comprehensive introduction of MFA at ETH Zurich is planned for the second half of the year.
Passwords have long since become an integral part of our everyday lives. After all, everyone needs countless different passwords in their digital lives. They provide access to user accounts in all possible areas of life: from streaming services to email to online banking.
A password is the first line of defence against criminals trying to gain access to a user account, and, if multi-factor authentication is not enabled, it is often the only protection. Once this hurdle is overcome, however, criminals have unrestricted access to all data stored in the account in question. And once they have successfully broken through, they can also try to exploit technical vulnerabilities in the affected system to gain even more extensive access rights.
Nowadays, threats are also posed by phishing and ransomware attacks. Attackers deceive users in an attempt to obtain their login data. For example, they send out phishing emails that ask users to enter their password on an (obviously fake) website. For this to work, the website usually looks deceptively real. But phishing also works over the phone. In this case, an alleged customer support might ask for the login data for a certain account. Once they have obtained it, these criminals can gain access to data and encrypt it or ensure that regular access no longer works, allowing them to demand a ransom for the data’s decryption or release.
Multi-factor authentication creates more security
In addition to a password, logging in with multi-factor authentication also requires a second login confirmation. This is generated in the form of a one-time password (OTP). This OTP is generated in an authenticator app and is only valid for 30 seconds. This method makes the login process a little more complicated, but leads to additional security. For this reason, all cloud services and web applications operated centrally by IT Services will be connected to the MFA solution in the future.
Use of MFA still in need of improvement
In a recently published study on MFA use, it became clear that a “large part of the Swiss population already has an awareness of secure internet service use”. At the same time, however, there is still a lot of room for improvement, explained the head of the study, Thomas Uhlemann, security expert at Eset in an interview with the trade journal IT Magazine. Almost half (48 per cent) of the more than 1,000 respondents use an additional factor besides their password to protect their access data: 14 per cent for every online service and 34 per cent for some. However, this contrasts with one-third of the population who either never use MFA (11 per cent) or don’t even know what it is (19 per cent).
Time to leave your comfort zone
“We should leave our digital comfort zone now,” recommends Urs Spätig, Project Manager of MFA-SSO. The activation of multi-factor authentication for all employees and students is planned for the second half of 2022. Initially, this will take place for the central cloud applications such as Microsoft 365, Google Workspace, Adobe Creative Cloud and Zoom.
“This will significantly increase the security of web applications. However, we have to negotiate the conflicting priorities of security and user-friendliness.” If usability is compromised too much, users will look for workarounds, there will be rejection in the organisation and this will compromise the initiative’s effectiveness. Therefore, IT Services will implement a solution where a new OTP is requested at regular intervals, but not for every login.
Crime scene solution
In inside|out newsletter no. 28, we asked you to find the solution. Please email us the solution to firstname.lastname@example.org.