1165 København K
Tlf: 35 32 28 98 (mon-thurs)
IT-security — Students, accessing their emails, report difficulties with the new two-factor authentication method. According to the IT-department, there isn’t much to do about it.
In June 2019, news broke that 500 employees of the university had clicked on an email sent by hackers, thereby leaking personal information. Within the last year, the university has been subject to an additional three attacks perpetrated by hackers.
In response to the threat, the University of Copenhagen has implemented a new, so-called two-factor authentication method which requires users to authenticate computer logins to the email system via their smartphones whenever their computers are disconnected from the University of Copenhagen network.
The new system is a nuisance according to the students, the University Post has been in contact with.
Mads Buhl Pedersen, a second-year student of political science, appreciates the importance of preventing hackers from attacking the university, but says the method is not without problems.
»As a student, it’s frustrating that you need to use your phone every time, you want to log in to check your email inbox—which is to say on a daily basis. My phone often runs out of power during the day, so I can’t read or write e-mails,« he says.
Kim Otto Ursin Johansen is head of a team at the university’s central IT-department, KU-IT, working on improving cybersecurity. According to him, the old system, which relied on a personal username and a password, was to easy for hackers to abuse.
»Using false e-mails, they attempt to access the system and have users share data with them. Typically, they are looking for KU-usernames and passwords. When they obtain them, all of the features that are available to users are now available to them. In the past, we only relied on a username and a password to access a host of systems, including KUnet, KU-mail, and web files. Once a hacker has access, he or she can abuse or destroy people’s data.«
Students like Mads Buhl Pedersen argue that the university ought to apply a mandatory e-mail filter that screens for phishing e-mails on accounts belonging to anyone over the age of 30.
Younger students know not to hand out personal information online, when they received e-mails from unknown senders.
Mads Buhl-Pedersen, student
»Younger students know not to hand out personal information online, when they received e-mails from unknown senders,« he says.
Kim Otto Ursin Johansen from KU-IT cannot help but laugh at the suggestion.
»Experts on cybersecurity all agree that two-factor authentication is the way to go. If someone steals your KU-username and password they can abuse it. For an example, criminals are able to send out more spam e-mails from one user to other users. The more data they have, the more credible the e-mail look, which means more people are likely to fall for it,« he says.
»You can buy phishing software from criminals just like you would by the Office suite. It sounds absurd, but that’s what’s going on. With two-factor authentication we can combat them,« says Kim Otto Ursin Johansen.
At the Faculty of Law, first-year student Søren Claudi is baffled by the university’s decision to focus on securing the e-mail system first, when the intranet contains more sensitive data:
»If a hacker were to gain access to my KUnet account, he or she could access to my grades, my social security number, etc. Accessing my email, the hacker would only see my correspondences with professors,« says Søren Claudi.
»The way I see it, the university is prioritizing adding an extra lock to the candy drawer, when they should be focusing on securing the money safe,« he says.
The University Post has asked Kim Otto Ursin Johansen why two-factor authentication has yet to be implemented on KUnet.
»KUnet is an obvious candidate for implementation of two-factor authentication, but the e-mail system is also a quite vulnerable area,« he says. »We have a policy at the University of Copenhagen of sending social security numbers via the internal e-mail system when need be.«
An article from the BBC details how easily a hacker can force his or her way into a university network in less than two hours.
Last fall, shortly after the implementation of two-factor authentication, history student Sigrid Boel Jacobsen left for the United States, and she found it frustrating that she was not able to access her KU-mail using an American SIM card on her phone, as her e-mail account was connected to her Danish SIM card. This prevented her from emailing her instructors.
You can download a separate app and connect to the two-factor authentication system and thus avoid using a phone number and a SIM card all together.
Kim Otto Ursin Johansen, KU-IT
»We need more options in terms of accessing web-mail using two-factor authentication,« says Kim Otto Ursin Johansen from KU-IT.
»Using a phone is the standard option. However, if you are travelling, you can also use the NET-IQ app which is part of the two-factor authentication system. You can also use Google Authenticator or Microsoft Authenticator. So, you can download a separate app and connect to the two-factor authentication system and thus avoid using a phone number and a SIM card all together,« he says.
»Another option is to use a Fido 2-key, a small USB drive which costs about 150-200 kroner. You put it in your computer and use it as a virtual key. One final solution is installing a mail client on your computer to download your e-mails. There’s a guide to setting this up in the system.«
»We’re not trying to bother anyone. We want to help, but cybersecurity is our main priority,« says Kim Otto Ursin Johansen.
Translation: Theis Duelund