Now Reading
Lithuania: College students cease college from utilizing solely proprietary authentication

Lithuania: College students cease college from utilizing solely proprietary authentication

2023-04-20 13:12:54



Vilnius Tech officers tried to implement the usage of proprietary
two issue identification (2FA) strategies. Some college students have been involved
the strategies would compromise privateness and couldn’t be run of their
units, and proposed an alternate technique to get the authentication.
Lastly, the college reversed its determination.

Collage with a picture of a girl and a building

Vilnius Gediminas Technical College (VGTU), a public college
in Lithuania, lately tried to make 2FA strategies obligatory for
entry to its platforms. The issue got here when some college students observed
that the accessible strategies would make the platforms inaccessible to
those that didn’t want to use proprietary instruments. College students utilizing telephones
run by Free Software program would lose entry to their college instruments, such
as e mail. In order that they demanded open requirements and Free Software program. After
weeks of scholar complaints, and with no official clarification, the
measure was reversed. In a symbolic act, one scholar even hacked the
college’s GitLab occasion and reported it to the IT division.

College tried to lock out college students who use Free Software program telephones

On 14th February an e mail was despatched out to all college students and workers,
instructing them to configure 2FA inside two weeks, or they’d not
be capable to entry college providers. What raised considerations was that
the system arrange by VGTU solely allowed two choices for 2FA, Microsoft
Authenticator (app notifications) and SMS.

Whereas there may be nothing incorrect with implementing 2FA, the strategies mandated by VGTU are proprietary and
privacy-compromising. Microsoft Authenticator is proprietary software program,
which means that customers aren’t allowed to review, share, and enhance the
code with out restriction. As well as, the app was solely accessible on
two platforms: Android with Google Play providers or iOS, which means that
individuals utilizing different Free Software program App shops have been locked out. The
different SMS choice required customers to share their telephone quantity and
private info with Microsoft, which additionally made college students

A phone showing a Free Software two-factor authentication app

No technique to evade it

A number of college students demanded that VGTU additionally permit open requirements and Free
Software program. The “app passwords” choice, which is generally constructed into
Microsoft Authenticator, was not accessible. This is able to have allowed
college students to entry their college e mail from different purchasers with out
2FA. The “Configure app with out notifications” choice, which might have
allowed the usage of different password managers/authenticators, was additionally
unavailable. Because the college disabled options, the one
choice for the college group was reliance upon Microsoft.

Some college students contacted the IT Helpdesk requesting that the TOTP (time-based
one-time password) choice be enabled. Nevertheless, the IT division
claimed that their techniques weren’t designed to help such
authentication. The division acknowledged that two-factor authentication
choices have been at present accessible, SMS and the Microsoft app, and that
the usage of TOTP might be thought-about sooner or later. Briefly, the IT
division didn’t pay attention to those college students’ calls for.

“This college has a foul behavior of implementing proprietary software program and doing
little analysis on the free options. Free software program has at all times been
higher and simpler to make use of. It is onerous to review when you’ll be able to’t agree with
invasive EULAs,” states Zehra Irem Kuyucu, one of many affected college students.

The scholars then went on to lift their considerations to
different members of the college group, together with the Deputy
Supervisor, the College students Workplace, and the Division of Data
Applied sciences. They identified that the research settlement didn’t require
them to have a working telephone operating Google Play providers or iOS.
In accordance with Lithuanian regulation, instructional establishments can’t
discriminate in opposition to college students on the idea of their social standing or
beliefs, and the College’s 2FA restrictions may discriminate
in opposition to college students who refuse or are unable to put in a proprietary
software on their private units.

Silent victory: entry to providers, scholar GitLab hack

After college students who couldn’t configure 2FA had been blocked for
a few week, the college group was capable of entry their e mail
once more on 27 March. Nobody was notified of the change. The college
didn’t provide a one-time password choice for 2FA.

See Also

Portrait of a girl outdoors
Zehra, one of many frontrunners in demanding different entry with out Microsoft providers.

A couple of days later, one of many college students, Zehra Irem Kuyucu, even went one step
additional. She resorted to drastic measures by hacking
the university’s GitLab instance
. She defined that she needed to “educate what
their infrastructure is value, as one other unhealthy behavior they’ve is poor
safety, regardless of authoring articles about it”. Then she despatched an e mail to the IT division with safety recommendation. She has, on different events, additionally reported issues concerning
different elements of their infrastructure, akin to HTTP plain-text
authentication or poor wi-fi community safety.


The usage of two issue identification strategies
helps to safe units and information however it must be carried out in a approach
that isn’t locking anybody out. VGTU’s mandate for 2FA solely gave the
choice of utilizing proprietary software program, elevating considerations to some college students
who didn’t need to compromise their privateness. The college’s determination
to disable choices that will have allowed college students to entry their
college e mail utilizing different purchasers with out 2FA was unfair, because it left
college students with no choices however to make use of Microsoft Authenticator or to share
their telephone quantity and private info with Microsoft. The IT
division’s refusal to allow TOTP as an choice was additionally not
passable, because it meant that college students who didn’t have units
suitable with Microsoft Authenticator have been discriminated in opposition to.
Whereas the college claimed that TOTP use can be thought-about within the
future, there was no timeline for when this could occur.

After college students who couldn’t configure 2FA had been blocked for a few week,
the college silently retreated. The college group was capable of
entry their e mail once more on 27 March.


Source Link

What's Your Reaction?
In Love
Not Sure
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top