Multi-Factor Authentication In Your LMS: How To Enable It, And Will It Endanger You? Cybersec Pulse

358
Multi-Factor Authentication In Your LMS: How To Enable It, And Will It Endanger You? Cybersec Pulse

Ever since the internet became a mass phenomenon, there have been campaigns for people to get strongest passwords. Seeing the futility of them, and the increasing number of ways in which you can be identified online, we’re now on the age of multi-factor authentication. A platform now can have access to not only your user ID and password. Your phone number, or phone whole with its range of sensors; all the way up to specialized keys, can all be additional layers of protection for your personal information and the systems to which you have access.

WIRIS

Would a larger number of factors will ultimately deter all online threats? I think you know the answer.

The security subject we all should have been experts on all along

It seems only implied in most of the coverage about cyberattacks and privacy. But there is an undeniable and reoccurring fact. With today’s technology, malicious actors are off trying to hack people, not systems. After all, that’s the most cost-effective way to access whatever number of factors is put in place.

Social engineering” is a strange name for the art of convincing a human to hand over access to a system. (It means other things in other fields, namely PolSci.) They could be as “innocent” as a phishing email, or complex and elaborate. On the extreme end, there is no limit to the detail in which an actor can recreate a whole experience through several channels. All in the hopes to earn your trust, or let the guard of your mistrust down. As interactive storytelling goes, it could be praiseworthy if it weren’t so nefarious.

As several public intellectuals on security will acknowledge, most notably self-proclaimed “public interest technologist” Bruce Schneier, no digital technology works if it doesn’t have our trust. From this view, the millions spent on marketing, communications and PR make sense. It seems costly. The appearance of trust being more profitable than, you know, actually being trustworthy. Not even blockchain, the sometimes-touted as “trust-free system” could work if you wouldn’t let it solve a problem for you.

Scheier argues that any trust-inducing mechanisms in society do not scale. Incentives in large populations are not the same as those in small communities. The role of institutions is to verify and enforce trust. Which sound almost like a contradiction. In this sense, blockchain is a “distributed trust architecture” institution. But a trust-requiring one nonetheless.

«What blockchain does is shift some of the trust (…) You need to trust the cryptography, the protocols, the software, the computers and the network. And you need to trust them absolutely, because they’re often single points of failure.

»When that trust turns out to be misplaced, there is no recourse. If your bitcoin exchange gets hacked, you lose all of your money. If your bitcoin wallet gets hacked, you lose all of your money. If you forget your login credentials, you lose all of your money. If there’s a bug in the code of your smart contract, you lose all of your money. If someone successfully hacks the blockchain security, you lose all of your money. In many ways, trusting technology is harder than trusting people.»

So if you thought tech would finally get rid of that pesky need to rely on one another, I’m sorry to dissapoint you.

Security and Social engineering, mandatory training at every online learning offering?

Many organizations have the good —and arguably obvious in hindsight— habit to add an LMS introductory course within their LMS, at least as a reference. Should all LMS also include a basic online security module?

If the name does not ring well across HR departments, maybe this one will: “Security Hygiene.”

Site admins should be expected to know about these topics, both on the technical and the social side. For them, topics on how to properly communicate and attend concerns and issues is also important.

Paid offerings are available. This example comes from famed former hacker Kevin Mitnick’s KnowBe4: Security awareness training

What would a 2019 Open Security Online Curriculum look like?

We could groups some topic, starting with the basics:

  • Personal security 101: Strong passwords (one last attempt)
  • Software security: Issue detection and reporting, patching and upgrade roadmaps
  • Encryption and protocols for secure communication, SSL
  • Make sure all system users keep their applications and devices patched and up-to-date.
  • Add secure, encrypted access (HTTPS) to your LMS using (SSL).
  • Technologies for protection, prevention and risk management

Spring into the mix. Anything missing? Be sure to let us know, for everyone’s sake!

  • Open Source Technologies. What are their differences, and why often the FOSS development roadmap increased the safety of a software.
  • Dark Patterns. The Internet today is a sophisticated persuasion machine. Which underscores the relevance of literacy. But not just any kind. Online experiences today are prone to questionable tricks to make users spend their time and money in ways that offer no value nor personal benefit. The “Dark Patterns” project at Princeton looks to increase awareness around these practices. Worry not: The US Congress is on the case.

Give Google your students’ phones

Research in partnership with NYU and UCSD lets Google conclude that adding a phone to a Google account, or two-factor authentication (2FA) with a phone your account can block:

  • 100% of automated attacks
  • Bulk phishing attacks: 96% blocked using SMS, 99% using on-device prompt
  • Targeted attacks: 76% blocked using SMS, 90% using on-device prompt

Their research, reported at Google’s security blog by Angelika Moscicki and Kurt Thomas shows that using an alternative authentication offers nowhere near the levels of security of phone-based 2FA.

The research is available here.

No, don’t give Google your students phones

In what would be more worrisome episodes if they were less anecdotal, SIM hacking is an effective method to overturn every protection that focuses on your phone. This engineering leader at bitcoin custody and security company BitGo, of all people and places, was the victim of a “SIM port hack.” But he was not the subject of the social engineering. It seems an AT&T service representative was.

In those cases, taking advantage of the OAuth 2.0 link was fatal. Having access to the Google account allowed them to gain control of their social media and many other services.

Coonce eventually got his access back, but not before substantial monetary and data losses.

You don’t have to be the victim of such an extreme circumstance to see how relying exclusively on phone has drawbacks. “Additional frictions,” which deter some attacks, can also become an annoyance for the user, or worse if the phone is suddenly unavailable. Higher security is null if it makes the system unusable, although it seems the tiniest lapse can prove expensive.

For “highly sensitive individuals,” Google recommends purchasing security keys that work independently from smartphones. The Titan Security key they offered, however, were found to be defective. (Not necessarily unsafe, thought.). Another popular key provider, Yubico, has been the subject of controversies for its mishandling of flaws in its keys, followed by newer security bugs found.

So just to drive the point home: Everything is hackable. And everyone can be a victim.

(Have you set up remote phone locking already, by the way? Android Apple)

Is 2FA, MFA available for your LMS?

  • The general, OAuth 2.0 way. All LMS support OAuth 2.0 which you can link to a tech giant that provides it.
  • In Moodle, the Etouffée” plugin provides this, but it has not been maintained since 2014. It is based on the Google Authenticator app, which is essentially the same process through OAuth 2.0 except that it does not require to link your Moodle and Google accounts.
  • Canvas features Google Authenticator app-based MFA in the same vain as Etoufée. Learn more here.
  • Blackboard does not advertise or provide support for this feature, but there is a precedent with University of Miami using Duo. Saaspass does advertise support for Blackboard.
  • Totara partners such as Lambda Solutions provide MFA upon request and subject to version, it seems.
  • Third party services and app are available for some of the LMS mentioned, including: Saaspass (Blackboard), Duo (Blackboard, Sakai)

More future Authentication Factors, & Resources

  • Your face? Only if it’s beautiful. Alipay has finally addressed the Chinese e-shopper’s common cry: It now makes sure your face displayed at checkout is not unflattering when used as a payment method. Would Kant approve? In any case, face recognition is responsible for many of the latest innovations in machine learning algorithms.
  • Deception protection Chrome extension. One of the most elementary practices from malicious actors is to rely on your ability to tune out small details from your attention. Overlook linkedin for llnkedin in a domain is all it takes to enter their reality. To help counter this subtle threats, Google has released the Suspicious Site Reporter extension for the Chrome browser.

eThink LogoOur coverage on Outcomes in LMS and Learning Systems is supported by eThink Education, a Certified Moodle Partner and Platinum Totara Partner that provides a fully-managed LMS experience including implementation, integration, cloud-hosting, and management services. To learn more about eThink, visit ethinkeducation.com.