UNE has committed to strengthening the security and safety of its technical and operational environment as part of a larger cyber security Rapid Uplift Program (RUP).

In addition to raising awareness and training staff in cyber security, the RUP also includes a project to make user authentication quicker and easier through the introduction of Multi Factor Authentication (MFA). 

The MFA project will feature an extensive consultation with end users, including a short survey to gather their thoughts on the initiative, whilst providing information and training to improve understanding of what MFA is.

Background

Traditionally, individuals accessed websites and applications by using passwords for identification and verification.  This practise has become increasingly unsustainable as we are required to access more and more services online. 

Organisations also require users to select passwords of increasing complexity to combat the growing threat of compromise either by hackers stealing them from unprotected sites, coercing users into disclosing the passwords or simply by the individual writing them down, storing them in files on phones or simply selecting something that is easily guessable. 

As a result, users are more likely to choose the same password for all their access requirements and are reticent to change them frequently. Hackers have also developed tools that can guess or predict an individual’s password and are actively targeting sites to find passwords and then sell them online to cyber-criminal gangs or worse.  This has resulted in numerous cyber attacks in recent years that have included financial loss, theft of personal information and the loss of intellectual property.  Universities are increasingly a target of these attacks.

The Solution

Security vendors have been working with organisations worldwide to address the ‘password problem’.  These approaches have included increasing password length and complexity, forcing frequent changes and checking for password re-use, making use of biometrics, and making use of multiple unique factors.

Of these, Multi-Factor Authentication (MFA) has become the preferred approach for the majority of organisations. MFA is also included in the Australian Government’s Security Group (ASG or now ACSC) as one of the top eight security control measures.

MFA is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence that can only be known or held by the user. These are generally defined as:

  • Something you know (password or Personal Identity Number);
  • Something you have (a token or a smart device); and
  • Something you are (a facial recognition, swipe pattern or fingerprint).

This approach not only increases the strength of the user authentication process, but also removes the ability of cyber-attackers to steal authentication credentials for resale.

The Challenges

Having to present two forms of authentication does come with certain challenges. 

The user must carry a token

Tokens are either specifically designed for the authentication process or are presented as an ‘app’ on a mobile device.  Issues arise if users do not have their tokens with them and are then unable to access the system. Mobile devices, whilst mostly carried on our person, are largely personally owned and some users may not like sharing their capability even though these apps have been extensively tested and do not introduce any vulnerability and all information related to the device is protected under Australian Privacy Principles.  Alternative authentication methods will also be needed for those times when tokens are forgotten or lost.

The user may need to register biometric details

Another option is to enter a biometric credential such as fingerprints or facial recognition to enable access to the smart device and the app.  Details of these biometric credentials are usually held on the device and are not stored centrally. These cannot be used to recreate a fingerprint or facial image. 

Usage may become onerous

Entering a MFA credential each time you want to access a new application during an ‘on-line session’ can be seen as onerous.  However, a process known as Single Sign-On (SSO), where the user authenticates at the beginning of the day and every system they access thereafter (providing that system is part of the SSO group) is automatically authenticated, can circumvent this. The SSO session will only end if users stop work for a period or shut down their computers. 

These challenges will be addressed through the project lifecycle, which will include extensive consultation with end users.

Questions and comments can be sent to Stewart Hayes on shayes31@une.edu.au.