By Irene Hsu
Stanford IT Services is currently working on several new online security measures, partially in response to this past summer’s cyber attack on Stanford information systems infrastructure. This comes after its current security upgrade, two-step authentication, drew some student discontent for being too inconvenient.
The new measures include restructuring the internal system to implement a fault-tolerant architecture, application whitelisting—which keeps track of applications allowed to run on a server to prevent installation of rogue applications—and penetration testing—which identifies vulnerabilities in websites and servers that could be exploited by hackers, according to Randy Livingston ’75 MBA ’79, vice president for business affairs and chief financial officer.
IT Services has also been increasing the amount of logging and monitoring with the goal of identifying hacking episodes earlier and stop hackers before they intrude into further layers of the network.
Livingston cites updating the older operating systems and security patches on devices as one of the more challenging updates thus far.
Older operating systems are not only more vulnerable, but they also cannot make use of security patches and upgrades that could delay or prevent cyber attacks. For instance, computers running on Microsoft’s Windows XP will no longer be patched after April 2014.
Feedback on two-step authentication
In the meantime, complaints about the two-step authentication system have been submitted to HelpSU, some about the need to carry around a cellphone, smartphone or list, Livingston said.
The two-step authentication system, which has been mandated for over a month, requires users to enter a unique authentication code at least once every 28 days when logging into sites that require higher levels of securities. Users can receive the authentication codes through printed lists, authenticator applications or text messaging. Some students have found trouble using the authentication codes.
Ashwin Sreenivas ’17 receives the codes through text message and said that though two-step authentication is necessary, the process is “really annoying and inefficient.”
“The one place we never get cell phone reception is the computer cluster,” Sreenivas said.
As a result, he must enter the cluster to send the code, leave to receive the code and return to log in, a process he goes through every week.
Though it hasn’t severely discouraged him from using Stanford websites, Sreenivas said that if there were a petition to change two-step authentication, he would sign it.
Elizabeth Sigalla ’15 used a printed list but switched to using an authenticator application after forgetting to bring the list with her multiple times.
She lives in Tanzania and goes home during long breaks, preventing her from using the text-message system. She also doesn’t have a printer at home and would not be able to print out the list of codes there.
“I wanted to get used to the authenticator application so that if I need help, I can ask for it here instead of being very far away and unable to contact anyone,” Sigalla said.
Rochelle Ballantyne ’17, who receives the codes via smartphone application, said that two-step authentication is just the way it is.
“There’s nothing wrong with it, and it’s a very safe system that works—it can just be frustrating,” Ballantyne said.
Associate Chief Information Security Officer Michael Duff is against using alternative forms of two-step authentications such as those using personal security questions, although they may be more convenient for users.
According to Duff, the current two-step authentication security benefits result from a combination of identity verification methods: something a user knows, such as a password; something a user has in possession, such as a smartphone; and something the user can be identified from, such as a fingerprint.
Since personal security questions fit into the first category of what users know—the same category that a password belongs to—they provide marginal additional protection.
“Personal security questions are a particularly weak form of secondary authentication because they are based on information about individuals often obtainable or otherwise guessable,” Duff said.
As of now, two-step authentication is here to stay, but according to Livingston, IT Services may replace the two-step authentication associated with WebLogin with a third-party product that supports alternative authentication mechanisms.