Single Sign-On and Federated Identity: The Cybercriminal's Dream?

When we launched a major expansion of our two-factor authentication system (Duo) at Indiana University (IU), we knew there would be some constructive criticism. IU has a site allowing users to provide feedback on any web-based service, so we searched it for "Duo" to see what our users were saying in the Comments section. Many users were angry and confused about why they needed Duo to get into Canvas, our learning management system. Instead, why couldn't Canvas just send them an e-mail with some sort of special code to enter back into Canvas? Dan shook his fists in frustration and audibly muttered, "Because your Canvas password and your e-mail password are the same thing! The code would add no security!" Then we discussed it and wondered if single sign-on (SSO) for Canvas, e-mail, network access, and library systems had led to the huge target on our backs. By making it easier to access a plethora of campus services with one login, had we made the username and password so valuable that we would actually attract cybercriminals?

I could see the use of e-mail as a secondary method to retrieve the second passcode (like all three of my banks use), but I do not see why it is so important to secure sites like Canvas, where most of us visit mostly to download lectures and receive information. I don't see why I need both my computer and a cellphone just to receive information from my professor.
—William B, IU Duo User


Higher education is by some measures the hardest-hit sector. A study conducted last year by BitSight Technologies, which evaluates companies' risk and security performances, estimated that 10 percent of colleges have experienced ransomware attacks, significantly higher than government entities (6 percent) or health care organizations (3.2 percent).1
—Carl Straumsheim, Inside Higher Ed


Perhaps the greatest collaboration in recent years in higher education IT shops has been our work on identity and access management (IAM). The first-order task for most IAM projects is working toward some form of single sign-on. SSO comes in many flavors, but all focus on allowing users to log in to all university resources using the same username and password. Now, identity management will never contribute to a Nobel Prize in literature. It will not lead to any illuminating lectures in the classroom. Students will not sit in their dorm rooms late at night discussing it. But implementing IAM transparently to users makes the university function better. In a pre-SSO world, it was common for individuals inside a single institution to have different logins (i.e., multiple usernames and passwords) for each system, department, etc. This led to considerable user frustration and higher support costs for the institution. Collaborating on identity management means not needing a separate username and password for each system the user accesses. IU currently counts hundreds of systems that use SSO and rely on that common set of credentials.

Until last year, with just their username and password, IU users could read journal articles from dozens of different publishers. They could download their latest paycheck and W-2. They could sign up for health insurance. They could pay a parking ticket. They could send e-mail, drop a class, download the entire Adobe Creative Cloud suite, access Wi-Fi at 383 different universities across the United States,2 use unlimited file storage in the cloud, and sell a bicycle in our classifieds. These abilities are not unique to IU; most faculty, staff, and students enjoy them at institutions all over the world with just a single set of credentials.

Each of our systems and applications has some discrete value, but an IU username and password unlocks them all, making the credentials' value equal to the sum of all those discrete values. We would estimate the retail value of a username and password at IU would be in the tens of thousands of dollars for the subscription costs of the services alone, not to mention that impersonating the right person's identity at a university could be worth millions if the right transactions were carried out.

Moreover, by using just a single username and password to unlock so many systems, we essentially created a honeypot for cybercriminals. Now, we do not advocate for the unwinding of single sign-on — we're just describing our present state. This has always been part of the value proposition of SSO: we create a single, higher-value credential so we can focus our efforts on making sure that it is managed as carefully as practical. However, this also creates an attractive target for phishing, ransomware, and malware. This honeypot is precisely why we need two-factor authentication — it serves as an effective countermeasure against the cybercriminals.

Because this single set of credentials allows access to so many systems, it led us to require two-factor authentication for most employees on February 2, 2017. Two-factor authentication pairs something you know — in this case, your password — with something you have, such as your smartphone. If you are not in possession of both, you are not able to authenticate. This is why it provides such strong protection against phishing: someone would need to steal not only a username and password but also a physical device — or intercept a code generated locally by the user. Two-factor authentication allows us to have both the business value of a single set of credentials and a higher level of security. We encourage our colleagues at other institutions to follow suit.

Our collective challenge now will be with raising awareness through communication. We face an uphill battle to convince our users that our situation, because of SSO and federation, is different from other two-factor solutions they may already know, such as their bank accounts or social media accounts. Nonetheless, it's a hill we must climb: the cybercriminals already know that single-sign on and federation assigns incredible value to our users' accounts, so it's our responsibility to educate our users on their account's implicit value and put measures in place to protect our users from these fraudsters. Otherwise, the cybercriminals will continue to phish and exploit higher ed as one of their favorite targets.

Notes

  1. Carl Straumsheim, "Your Data or Your Money," Inside Higher Ed, January 24, 2016.
  2. Wi-Fi access is made possible by eduroam, an Internet2 service.

Daniel Calarco serves as the chief of staff for the vice president for IT and CIO at Indiana University and chairs the CIO's SafeIT task force.

Jacob Farmer leads the identity management systems team at Indiana University.

© 2017 Daniel Calarco and Jacob Farmer. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.