Lithuania: Students stop university from using only proprietary authentication
Vilnius Tech officials attempted to enforce the use of proprietary two factor identification (2FA) methods. Some students were concerned the methods would compromise privacy and could not be run in their devices, and proposed an alternative way to get the authentication. Finally, the university reversed its decision.
Vilnius Gediminas Technical University (VGTU), a public university in Lithuania, recently attempted to make 2FA methods mandatory for access to its platforms. The problem came when some students noticed that the available methods would make the platforms inaccessible to those who did not wish to use proprietary tools. Students using phones run by Free Software would lose access to their university tools, such as email. So they demanded open standards and Free Software. After weeks of student complaints, and with no official explanation, the measure was reversed. In a symbolic act, one student even hacked the university’s GitLab instance and reported it to the IT department.
University attempted to lock out students who use Free Software phones
On 14th February an email was sent out to all students and staff, instructing them to configure 2FA within two weeks, or they would not be able to access university services. What raised concerns was that the system set up by VGTU only allowed two options for 2FA, Microsoft Authenticator (app notifications) and SMS.
While there is nothing wrong with enforcing 2FA, the methods mandated by VGTU are proprietary and privacy-compromising. Microsoft Authenticator is proprietary software, meaning that users are not allowed to study, share, and improve the code without restriction. In addition, the app was only available on two platforms: Android with Google Play services or iOS, meaning that people using alternative Free Software App stores were locked out. The alternative SMS option required users to share their phone number and personal information with Microsoft, which also made students uncomfortable.
No way to evade it
Several students demanded that VGTU also allow open standards and Free Software. The “app passwords” option, which is normally built into Microsoft Authenticator, was not available. This would have allowed students to access their university email from other clients without 2FA. The “Configure app without notifications” option, which would have allowed the use of other password managers/authenticators, was also unavailable. Since the university disabled alternatives, the only option for the university community was reliance upon Microsoft.
Some students contacted the IT Helpdesk requesting that the TOTP (time-based one-time password) option be enabled. However, the IT department claimed that their systems were not designed to support such authentication. The department stated that two-factor authentication options were currently available, SMS and the Microsoft app, and that the use of TOTP could be considered in the future. In short, the IT department did not listen to these students’ demands.
"This university has a bad habit of enforcing proprietary software and doing little research on the free alternatives. Free software has always been better and easier to use. It's hard to study when you can't agree with invasive EULAs," states Zehra Irem Kuyucu, one of the affected students.
Raising the anti-discrimination argument to the university community
The students then went on to raise their concerns to other members of the university community, including the Deputy Manager, the Students Office, and the Department of Information Technologies. They pointed out that the study agreement did not require them to have a working phone running Google Play services or iOS. According to Lithuanian law, educational institutions cannot discriminate against students on the basis of their social status or beliefs, and the University's 2FA restrictions could discriminate against students who refuse or are unable to install a proprietary application on their personal devices.
Silent victory: access to services, student GitLab hack
After students who could not configure 2FA had been blocked for about a week, the university community was able to access their email again on 27 March. No one was notified of the change. The university didn’t offer a one-time password option for 2FA.
A few days later, one of the students, Zehra Irem Kuyucu, even went one step further. She resorted to drastic measures by hacking the university's GitLab instance. She explained that she wanted to “teach what their infrastructure is worth, as another bad habit they have is poor security, despite authoring articles about it”. Then she sent an email to the IT department with security advice. She has, on other occasions, also reported problems regarding other parts of their infrastructure, such as HTTP plain-text authentication or poor wireless network security.
The use of two factor identification methods helps to secure devices and data but it should be implemented in a way that is not locking anyone out. VGTU's mandate for 2FA only gave the option of using proprietary software, raising concerns to some students who did not want to compromise their privacy. The university's decision to disable options that would have allowed students to access their university email using other clients without 2FA was unfair, as it left students with no options but to use Microsoft Authenticator or to share their phone number and personal information with Microsoft. The IT department's refusal to enable TOTP as an option was also not satisfactory, as it meant that students who did not have devices compatible with Microsoft Authenticator were discriminated against. While the university claimed that TOTP use would be considered in the future, there was no timeline for when this would happen.
After students who could not configure 2FA had been blocked for about a week, the university silently retreated. The university community was able to access their email again on 27 March.