Almost all IT systems at Warwick are protected by authentication run by IT Services called Single Sign-on, which has two defining characteristics:
- Staff and students only ever have a single username & password, and
- If you’re signed in to one service, you’re signed in to all services
This approach has pros and cons:
- It’s easy and convenient for staff and students
- It’s technically manageable for IT Services
- Not having to remember multiple sets of credentials is more secure; if people had different passwords for different applications, they’d be more likely to choose simple passwords, write them down, etc.
- ✗ It treats all apps as requiring equivalent security, even though some of our applications contain very little sensitive data, and some contain very substantial quantities
- ✗ Stolen or shared credentials allow access to lots of applications
This last point is particularly important, because in general usernames and passwords are not well-managed assets at Warwick; people routinely respond to phishing emails designed to acquire passwords, we have a loosely managed network with thousands of unmanaged devices attached to it, unmanaged devices are often insecure and vulnerable to attack, and it’s common for staff and students to voluntarily share credentials with other people for convenience.
We intend, therefore, to improve security beyond our existing username-and-password model. The approach we will use is called two step authentication. Almost all major commercial web properties – Google, Facebook, Twitter, Apple, etc – run two step authentication, and suggest very strongly that their customers should turn it on.
Two step authentication adds additional security beyond username and password by using something you have as well as something you know. The thing you have is sometimes a physical token – a keyfob device with buttons and a screen - but mostly a phone nowadays, because people don’t like carrying extra devices around with them, and organisations don’t like having to supply and maintain thousands of keyfob devices. So when two-step is in use, the login process changes slightly:
- A user logs in using their username and password
- They are then asked to type in a numeric code generated on their phone
- If the code typed in matches the one from the user’s phone, login is complete
- To avoid having to type codes in every time a user logs in, it’s possible to say “Don’t ask me again on this device” for devices which the user is confident are physically secure
- Once “Don’t ask me again on this device” has been ticked, numeric codes aren’t required on that device any more for a period defined by the organisation, typically somewhere between six months and a year.
Two step authentication is already implemented at Warwick, but is optional for all staff and students. When this change is introduced, it will become mandatory for all staff (but will remain optional for students). When this happens, staff will need to make the following adjustments:
- Register a mobile phone for use with two-step. (If the phone is a smartphone, it's possible to install an app to generate the required numeric codes. For older phones, the codes can be sent by SMS.)
- Once a phone has been registered, staff will use their phone to generate a numeric code to type in when logging in. For each device staff log in from, they would have the choice about whether to skip the numeric code after the first time. So for someone using a single device that they are confident in the physical security of, the change would amount to typing in a numeric code once every six months or so.
The advantages to the University would be significant:
- The risks associated with phishing would be substantially reduced, because even if staff mistakenly hand over their username and password, those credentials can’t be used to sign in from a new device unless the attacker also has the staff member’s (unlocked) phone at the same time.
- Sharing of credentials would also be reduced, because knowing someone else’s credentials would not be enough to sign in with on a new device without also having the other person’s phone.
- The question of whether we should enforce complex or frequently-changed passwords would become largely obsolete, since dependency on password alone for security would no longer be occurring.
- Systems which contain sensitive data such as SITS or HR would be better protected. Users making frequent use of those systems could be advised to use the “Don’t ask again on this device” option sparingly if at all, thus improving security still further.
- Lost or stolen devices can retrospectively be made secure by remotely revoking their “Don’t ask again on this device” status so that even if someone has the device and a valid username and password, the device can no longer be used to sign in to SSO-protected applications.
We believe that these proposed changes represent a reasonable compromise between user convenience and increased security. While further strengthening of security, and therefore further changes to access methods, may be needed in the future, this change would be a substantial improvement on the current position.