I had a similar problem when I was required to use Outlook email. It turns out that outlook does support FIDO2 hardware keys (or app) in place of MS authenticator, but it is disabled by default. The Admin has to explicitly enable it.
One then has to get though a number of roadblocks including:
* The option to log in with a FIDO key does not show up in Firefox, only Chrome (and Edge?). Bugs?
* MS only recognises keys from "Partner organisations". If you go an open source key, such as Solo, it probably won't be an MS partner and you will have to get the Admin to add AAGUID numbers for your type of key.
* A "Temporary Access Pass" needs to be issued by the Admin for first sign-in, to boot the chain of trust.
All in all it's a pain for the Admin compared to saying "Download MS Authenticator", hence it may be difficult to get an Admin to admit that the FIDO option is there.
This is incredibly infuriating from Mozilla and very sad to see. Again their browser shows they just cannot stay in the enterprise environment. Such a shame.
Some of the things you mention here are organizational implementation, potentially making things more difficult to support. For example, attestation is not enabled by default. An admin enabled that, and didn’t automatically allow-list common AAGUIDs.
TAPs can be programmatically generated in batches for a roll out.
Keep up the fight. I've tried this with banks, who are keen on forcing Android/iPhone apps on everyone. Should hopefully be easier to get a public entity to provide non-proprietary 2fa implementations.
The question is whether something standard like TOTP is also offered as an option (regardless of how "dark-patterny" it is to get to the option --- I've seen services that will heavily push their own app, but if you look carefully you'll see TOTP too, often disguised as "Google Authenticator" or something else that doesn't explicitly say TOTP but actually is.)
Authentication has been a solved problem for decades but no bank is going to ask the general public to use their SSH keys.
Nor ask them to put their smartcard in the reader, although many banks will already have given one to their customers...
It's kind of hard to follow the moral stance here. The university is apparently a Microsoft 365 customer. The objection of the students here seems to be that... They are being required to use a Microsoft product in order to access a Microsoft product? It's hard to understand how 2FA is the thing that crosses the line, when the university has already entrusted Microsoft with everything else.
And as they say in the letter, MS Authenticator (which is not even really a 2FA system but a passwordless authentication product, likely the best on the market right now) is not even mandatory as SMS is also an option. Setting downsides of SMS 2FA aside, they are not actually being required to use proprietary software, but instead seem to have bundled two mostly unrelated concerns together. I mean, they're objecting to having to share their phone number with MS... In order to access their email that MS hosts. The privacy boundary they're making this stand over is just a very strange one.
TOTP isn't really a drop in replacement either, as MS Authenticator is intended to protect against a couple of classes of attacks that TOTP doesn't, most importantly 2FA interactive phishing, which TOTP remains vulnerable to. Following the Okta attacks a number of organizations have prohibited TOTP, as interactive phishing of TOTP tokens is becoming pretty common such that TOTP 2FA is no longer substantial protection against this extremely common attack vector. FIDO is another good option but frankly the usability of FIDO remains very poor and it produces a much higher volume of support issues than app-based interactive verification.
>It's kind of hard to follow the moral stance here.
Fighting for civil rights often makes you look like a prick, because you keep laser-focused on your goal and need to counter all the reasonable-sounding objections of people who were following their daily routines before this ball-breaker came along; but it is nevertheless necessary.
Contrary to Hollywood films, people don't stamp on other people's rights because they have some inner impulse to do evil, but because injustices are ingrained in the common way to do things, and fixing then implies to deviate from those routines; that's why it's so hard to change them.
That's the real meaning of the sentence "for evil to triumph, all it takes is for good people to do nothing". The movie script of a hero taken the matter in their hands and saving the world with heavy guns is but a fantasy
> Fighting for civil rights often makes you look like a prick, because you keep laser-focused on your goal and need to counter all the reasonable-sounding objections of people who were following their daily routines before this ball-breaker came along; but it is nevertheless necessary.
you are correct. All true.
But there are no easy to implement groupware, open office, email, chat suite. Yes, in hn you can say zoho or sogo or libreoffice. While I totally use OSS, it is a pain for Universities to find talent to implement this at scale.
Also a majority just use MS products and want compatibility. This is similar to tons of devs doing OSS dev but using MacOS (and using VM or remote ssh) as they want their devices to run for 12 hours on battery.
Some European universities tried going open solutions - this patchwork either failed or some even got hacked.
At the end, there are no easy solutions. I sincerely wished some one like Linux foundation implements a total OSS solution based on nextcloud to build all integrated suite to compete with G-suite or MS.
This seems somewhat overblown, inasmuch as the use of proprietary, closed-source productivity applications developed in the United States is itself an a priori compromise of eFSF values.
Email is a thankless, dirty business (ask anyone that has ever done an Exchange migration), and there is no incentive for the University to necessarily use and maintain a persistent free software-based email backend. It would be a better outcome to allow students the ability to use their own, personally-chosen communication services and devices, with the caveat that this might exclude some students or faculty from accessing resources that are under the control of commercial partnerships.
Stop putting your hand in the meat grinder and turning the crank. It IS possible to live the FOSS dream; just stop whining that non-FOSS software and services have left you behind-it's not their directive to do so.
I think it’s more fundamental than this. They do not want their education to be conditional on having MSFT software on their phone, or handing over personally identifiable data like their phone number to a big tech corp.
But the students were further aggravated by the incompetence of the university. There’s a bit in the articles and emails about how easy it was to hack into their infrastructure despite 2FA efforts. Together, these things (and some of the published emails) seem to show the university is stubborn and incompetent. Which is where students and VGTU seem to clash as well.
The university staff should have just enabled TOTP, or at least offered some reason to believe they generally knew what it was. Given the university claims to be specialised in tech, it is a reasonable expectation. Instead, their technical staff demonstrated a front line tech support level understanding.
It seems like those are the fundamental problems the students are surfacing.
The security of their personal devices on which they must install Microsoft spyware and accept it's terms, before being allowed to complete their education.
Ah ok. The 2fa isn't the important part, nor the service, it's the fact that it's an app of any kind that they otherwise would not choose to install on their personal property, and shouldn't have to in order to do something like simply be in school. I completely agree with that.
I'd say if the school isn't willing to modify their server configs to allow generic 2fa, they should be obligated to provide devices to run that app if they really insist on that app alone. Then maybe with that choice they might decide it makes more sense to reconsider simply having one admin do about an hour's research and setting some service options.
My Indian university does this and I'm powerless. Emailing then or convincing them didn't help. Atleast Europeans care about privacy. Everyone looked at me like I was retarded when I tried to explain the issue to them.
I've tried but there's not enough momentum on this issue. Nobody cares. Can't find anyone who cares about the issue AND has the power/ability to cause change. There's no law too against this AFAIK. so there's no way forward that I can see.
Most likely you are correct. I suspect most citizens of India put “right to privacy” far, far below many other issues. So many are still affected daily by clean water and electricity shortages, lack of economic opportunities, and inconsistent (corrupt) governance.
Europe is afforded the luxury to spend energy on issues like this that are well higher on Maslow’s hierarchy.
However, due to prevailing issues between religions and castes in India, perhaps some would be interested in a blanket “right-to-privacy” in order to better hide their affiliations. This doesn’t seem to be the direction they’re heading but it’s a small fulcrum for change perhaps.
> To use TOTP we need to reconfigure more than one system because they work
differently or 2FA was not thought of when they were designed.
This thought is repeated in the correspondence, does anyone have any idea what they actually mean by that? After all, if they're using Azure Active Directory, then surely the type of 2FA shouldn't matter that much to most of the software that's integrated with it, right?
Why wouldn't the suggestions presented in the e-mails work?
Go to Security > Multifactor Authentication > Additional cloud-based multifactor authentication settings.
Tick the checkboxes like in the attached image.
Other than that, it feels like repeated back and forth, with either a lack of mutual understanding of what's actually being used sometimes, or the repeated statement above, which is unfortunate to see.
Props to the person for standing their ground due to what they believe in, but I feel that many would (unfortunately?) just get a cheap Android device for something like this, if their daily driver was something else.
The school should be providing phones if the students require them. I strongly believe 2fa is important, but it is even more important to acknowledge that not everyone owns the gadgets that you do. And they may not want to. So if a service requires 2fa they should also supply the necessary hardware to all of their users.
> The school should be providing phones if the students require them.
I agree in principle, but doubt that our reality matches up with that. It's easier for them to blame the minority of people, especially if nobody will stand up for them.
In their own words:
>> If your phone doesn’t support Microsoft Authenticator, you need to use “Call
to phone”, if you don’t want that method to use, you need to change your
phone, which support Microsoft.
They can just say: "Most people use phones with a mainstream OS, don't be a weirdo and just use a phone like that, like the rest of the people." Same unfortunate situation across the board, with plenty of software being Windows/Mac-only, drivers not being open source and for the most part almost nobody caring.
What's worse, in this case it seems like TOTP should be able to be supported, with relatively few issues, unless there is indeed something major I'm missing.
Isn't it just weird that a university is using this language at all? A lot of their messages seem so unempathetic and unprofessional. The spirit of academia has always been about being open to ideas and embracing open standards from my experience, too. Something feels off.
"You need to change your phone, which support Microsoft" just sounds very shady for a state-funded university. Or perhaps I am too sceptical. But a "proprietary tech only" university seems a bit of an oxymoron and close-minded for me. I would expect even staff to protest that.
> Isn't it just weird that a university is using this language at all? A lot of their messages seem so unempathetic and unprofessional. The spirit of academia has always been about being open to ideas and embracing open standards from my experience, too. Something feels off.
It might just be a cultural thing, or the perception on the behalf of the staff, that this person is creating problems for them, where none should exist. I'm from Latvia, which is right next to Lithuania - most of the correspondence I've received in a Latvian university has also been a bit on the terse side of things. It also mirrors the attitude that some of the staff can have, some take pride in failing students, not really helping out with the subjects much, some are genuinely overworked. Of course, there were also plenty of genuinely good staff members.
For example, I remember reaching out to a professor to explain that I'm attending a software development conference and whether I could re-schedule the date on which I'd take an exam (maybe to take it together with those who would later re-take it after not passing). The answer was simply: "No." with a typo in that single word response, somehow. Also, I recall the local IT department sending me a fairly accusatory message about me doing port scanning, when I was testing out OpenVAS against my own VPS (a single node). Nothing wrong with asking questions, but maybe there's no reason to start with an accusatory tone and demanding an explanation. Oh well.
As another example, I recently had a postal package come in that I couldn't redirect to a package machine for pickup, for some reason. So, I wanted to have it delivered to my house (a service that's offered) by the postal worker. I reached out to the customer service by e-mail and just got a copy paste from the FAQ, with my question about the delivery going completely unaddressed. When I called them on the phone, the person there was nice and helped me figure everything out in a few minutes and arranged for the delivery.
People can be nice in person (or when talking over the phone) or when they know you, but for whatever reason many of the people are less nice online. There are fewer pleasantries in general, people typically get to the point more quickly, or might seem cold to someone from US or similar countries. That said, you don't really open the comments sections of news sites over here, unless you want to see something mocking or with profanity.
I'm really not sure why that is. It should probably be better somehow.
The universities in Lithuania are incompetent when it comes to IT. I graduated from Vilnius University and they also were Microsoft shills that don't know anything better.
Ironic to link to a site that requires running proprietary JS to view static content (and it's not one of those where the content is visible in View Source either.) Even GitHub doesn't do that.
The emails mention students only using FOSS. And while they are the minority, their point of view is reasonable. Studying should not involve handing over one’s data to MS or any other big tech corp without good reason.
When I was a student last, I was using an Ubuntu laptop, and an android phone that was no longer receiving updates, so couldn't run any of the new versions of the apps required to do so many things.
Nowadays I'm a sellout and traded liberty for convenience (and deserve neither, paraphrasing Benjamin Franklin), but I used to fight the FOSS fight. My first two jobs were on Agpl/gplv3/gplv2 products!
I work for a uni which is rolling out the MS modern auth - we have a FIDO2 option (Yubikeys I guess) for contentious objectors to the Authenticator apps.
Actually when I was a student I was using OpenBSD on my laptop and couldn't afford a smart phone. This smells a lot like "Oh you're a fan? Name three of their songs!"
Just because someone has a tiny binary blob on their otherwise open source device, doesn't mean they should give up and install a whole proprietary app from a marketing company that regularly communicates to the internet.
Let's try to be respectful; not everyone is willing to 'submit', and that's OK
I know it will be an unpopular answer, but given there are two options (namely: Microsoft Authenticator or using the SMS option) what is the problem? If the SMS option is such an attack to your privacy, use a cheapo phone with a prepaid SIM registered to your dog. Not all countries permit this, but it's a start.
One then has to get though a number of roadblocks including:
* The option to log in with a FIDO key does not show up in Firefox, only Chrome (and Edge?). Bugs?
* MS only recognises keys from "Partner organisations". If you go an open source key, such as Solo, it probably won't be an MS partner and you will have to get the Admin to add AAGUID numbers for your type of key.
* A "Temporary Access Pass" needs to be issued by the Admin for first sign-in, to boot the chain of trust.
All in all it's a pain for the Admin compared to saying "Download MS Authenticator", hence it may be difficult to get an Admin to admit that the FIDO option is there.