Two-step verification secures UB's most valued asset—trust

I mentioned the important role trust plays in my previous post on the four important considerations of information security. As information professionals, we need to work from a position of trust—when engaging with our community and its resources, we trust that you are who you say you are, that you’re accessing the right data in the right way. 

And it’s no coincidence that our trust is the first thing scammers, or bad actors, seek to exploit, through social engineering and impersonating our colleagues and contacts. One of the foremost challenges of information security is to understand the evolving nature of that threat, and how to best respond—without diminishing or violating the existing trust we’ve built at our institution.

Passwords have long been the response to the question of trust in a cybersecurity landscape. But passwords are just one stage in what has been a long evolution of verifying trust in the digital age. 

Now, thanks to two-step verification, the next stage is here. 

In a previous blog, VPCIO Brice Bible already discussed how bringing two-step verification to UBITName accounts in Fall 2019 will benefit everybody at UB. Verifying your identity with a device you keep with you—a smartphone, typically—dramatically reduces the likelihood that your account will become compromised, which in turn helps foster a community that shares more implicit trust, and is freer to create and share knowledge.

Does this mean the era of the password is over? Not quite. A strong password is still essential for trust and security—but the definition of “strong” is changing:

• Length, not unique characters, is the best indicator of a strong password. So rather than use eight characters of nonsense you’ll never remember, why not use a passphrase instead—a complete and grammatical phrase or sentence that will be unique and easy to remember? It’ll be longer, naturally have capital letters and punctuation marks—and it’ll be a lot easier to type on your phone!
• Changing your password isn’t as important as it used to be. Because your second-step is always dynamic—either a passcode that changes every time, or an “in-the-moment” login confirmation by you, on your device—it’s less critical to change your password frequently. That being said, it never hurts to periodically change your password. But now, the new year, new password method is more than sufficient (as long as your password hasn’t been compromised).

And, of course, your passwords should still be private. Don’t reuse them on multiple sites, and avoid anything on those “most common passwords” lists. That, along with two-step verification, will help keep you secure.

Two-step verification is an important step in the evolution of the trust relationship in an ever-expanding, increasingly fraught online world. While it doesn’t remove the burden of verifying trust entirely, it returns some of the power to the individuals engaging with their work and their colleagues on a daily basis, so they can work intuitively, and openly… with trust.

This is what most people think about when they think about information security: preventing those with obviously malicious intent from compromising us and our work. Because these threats have the potential to affect past, present and future UB community members, we as an institution are taking an active approach in this area.

In the past year, we’ve collaborated with the community to develop security standards for the devices we use at work, promoting common sense measures we can all take to keep one another safe. We’re also protecting the entire campus with a new, unified firewall that addresses the broader threat, and can be adapted as needed to meet that threat as it evolves.

It’s critical for us to engage in this area—because what makes one of us vulnerable online has the potential to make all of us vulnerable.

The bad actors are, in many ways, the easiest threat to spot and defend against. It’s when a bad actor gets through—and starts to manipulate the system from the inside—that our most challenging work begins.

How does this happen? It happens when a convincing phishing attempt tricks you into giving up your UBITName and password, or when someone sends you a fraudulent email pretending to be a coworker. It happens when someone logs into your computer remotely using your password (guessed or stolen) and infects it with ransomware. These attacks are devastatingly common.

On the technological side, we’re enabling two-factor authentication on some of the most sensitive UBIT services beginning the Fall 2019 semester. By combining something you know—your UBITName password—with something you have, like a smartphone, we can more reliably trust that the person logging into your UBITName account is you.

Many of us think about information security in the negative—what is the threat, and what compromises must we make to address that threat? But we can also think about information security as a way to empower our community to do its best work, in an intentional way.

Acting with intentionality is what we do when we engage in scientific research, carefully controlling the conditions of the experiment so we can trust the observations it produces. And it is precisely when we fail to act intentionally—whether enabling the wrong setting or clicking the wrong link, that the outcomes become uncertain at best, and dangerous at worst.

Taking on some risk is necessary in order to make an impact. Everything we do is designed with the goal of helping the campus community take necessary risks in an informed, intentional way.

This is the mission of information security, and it is emphatically people-centered. Security is a spectrum—there’s so much diversity among the people and the work that make up the University at Buffalo, and a one-size-fits-all approach will simply not work.

We can build firewalls, propose standards and suggest best practices, but for an institution to truly put information security into practice, its people need to see the inherent value in it, and take up the cause themselves. Our goal is to provide the resources, and the environment, for the people at UB to do their best work, the best way.

It starts with you.