And as they say in the letter, MS Authenticator (which is not even really a 2FA system but a passwordless authentication product, likely the best on the market right now) is not even mandatory as SMS is also an option. Setting downsides of SMS 2FA aside, they are not actually being required to use proprietary software, but instead seem to have bundled two mostly unrelated concerns together. I mean, they're objecting to having to share their phone number with MS... In order to access their email that MS hosts. The privacy boundary they're making this stand over is just a very strange one.
TOTP isn't really a drop in replacement either, as MS Authenticator is intended to protect against a couple of classes of attacks that TOTP doesn't, most importantly 2FA interactive phishing, which TOTP remains vulnerable to. Following the Okta attacks a number of organizations have prohibited TOTP, as interactive phishing of TOTP tokens is becoming pretty common such that TOTP 2FA is no longer substantial protection against this extremely common attack vector. FIDO is another good option but frankly the usability of FIDO remains very poor and it produces a much higher volume of support issues than app-based interactive verification.
Fighting for civil rights often makes you look like a prick, because you keep laser-focused on your goal and need to counter all the reasonable-sounding objections of people who were following their daily routines before this ball-breaker came along; but it is nevertheless necessary.
Contrary to Hollywood films, people don't stamp on other people's rights because they have some inner impulse to do evil, but because injustices are ingrained in the common way to do things, and fixing then implies to deviate from those routines; that's why it's so hard to change them.
That's the real meaning of the sentence "for evil to triumph, all it takes is for good people to do nothing". The movie script of a hero taken the matter in their hands and saving the world with heavy guns is but a fantasy
you are correct. All true.
But there are no easy to implement groupware, open office, email, chat suite. Yes, in hn you can say zoho or sogo or libreoffice. While I totally use OSS, it is a pain for Universities to find talent to implement this at scale.
Also a majority just use MS products and want compatibility. This is similar to tons of devs doing OSS dev but using MacOS (and using VM or remote ssh) as they want their devices to run for 12 hours on battery.
Some European universities tried going open solutions - this patchwork either failed or some even got hacked.
At the end, there are no easy solutions. I sincerely wished some one like Linux foundation implements a total OSS solution based on nextcloud to build all integrated suite to compete with G-suite or MS.
Email is a thankless, dirty business (ask anyone that has ever done an Exchange migration), and there is no incentive for the University to necessarily use and maintain a persistent free software-based email backend. It would be a better outcome to allow students the ability to use their own, personally-chosen communication services and devices, with the caveat that this might exclude some students or faculty from accessing resources that are under the control of commercial partnerships.
Stop putting your hand in the meat grinder and turning the crank. It IS possible to live the FOSS dream; just stop whining that non-FOSS software and services have left you behind-it's not their directive to do so.
But the students were further aggravated by the incompetence of the university. There’s a bit in the articles and emails about how easy it was to hack into their infrastructure despite 2FA efforts. Together, these things (and some of the published emails) seem to show the university is stubborn and incompetent. Which is where students and VGTU seem to clash as well.
The university staff should have just enabled TOTP, or at least offered some reason to believe they generally knew what it was. Given the university claims to be specialised in tech, it is a reasonable expectation. Instead, their technical staff demonstrated a front line tech support level understanding.
It seems like those are the fundamental problems the students are surfacing.
* O365 doesn't require installing anything on your local device.
* SMS 2FA is less secure.
* Personal phone number is in a separate privacy domain from work/school email.
The objection is that they're being required to compromise their security, either by installing Microsoft's spyware or enabling SMS 2FA.
I get it, microsoft sucks. But they’re almost certainly using android or iPhones and so already use a bunch of proprietary software.
What a stupid hill to die on.
In the article the student mentions that they're using "a PinePhone running PostmarketOS"
One then has to get though a number of roadblocks including:
* The option to log in with a FIDO key does not show up in Firefox, only Chrome (and Edge?). Bugs?
* MS only recognises keys from "Partner organisations". If you go an open source key, such as Solo, it probably won't be an MS partner and you will have to get the Admin to add AAGUID numbers for your type of key.
* A "Temporary Access Pass" needs to be issued by the Admin for first sign-in, to boot the chain of trust.
All in all it's a pain for the Admin compared to saying "Download MS Authenticator", hence it may be difficult to get an Admin to admit that the FIDO option is there.
TAPs can be programmatically generated in batches for a roll out.
Authentication has been a solved problem for decades but no bank is going to ask the general public to use their SSH keys.
Authentication has been a solved problem for decades but no bank is going to ask the general public to use their SSH keys.
Nor ask them to put their smartcard in the reader, although many banks will already have given one to their customers...
This thought is repeated in the correspondence, does anyone have any idea what they actually mean by that? After all, if they're using Azure Active Directory, then surely the type of 2FA shouldn't matter that much to most of the software that's integrated with it, right?
Why wouldn't the suggestions presented in the e-mails work?
Go to Security > Multifactor Authentication > Additional cloud-based multifactor authentication settings.
Tick the checkboxes like in the attached image.
Other than that, it feels like repeated back and forth, with either a lack of mutual understanding of what's actually being used sometimes, or the repeated statement above, which is unfortunate to see.
Props to the person for standing their ground due to what they believe in, but I feel that many would (unfortunately?) just get a cheap Android device for something like this, if their daily driver was something else.
I agree in principle, but doubt that our reality matches up with that. It's easier for them to blame the minority of people, especially if nobody will stand up for them.
In their own words:
>> If your phone doesn’t support Microsoft Authenticator, you need to use “Call to phone”, if you don’t want that method to use, you need to change your phone, which support Microsoft.
They can just say: "Most people use phones with a mainstream OS, don't be a weirdo and just use a phone like that, like the rest of the people." Same unfortunate situation across the board, with plenty of software being Windows/Mac-only, drivers not being open source and for the most part almost nobody caring.
What's worse, in this case it seems like TOTP should be able to be supported, with relatively few issues, unless there is indeed something major I'm missing.
In Lithuania you don’t even need to register anything. You can just buy a bag full of sim cards in any supermarket completely anonymously.
Note that the link is a permalink, and if you're reading this in the future you may want to go to the master branch at https://gitlab.digilol.net/Siren/vgtu-article/-/blob/master/....