Two-factor authentication will soon be introduced at the university - a necessary step to protect computer systems from unwanted intruders.
25 February 2023 was not a good day for the University of Oldenburg. Attackers were able to hack several of the university's user accounts via phishing emails. The criminals used emails to trick employees into entering their passwords on fake websites. The hackers used the stolen access data to send further fraudulent emails. They circulated a total of more than 80,000 spam emails that day and the following day. As a result, the university ended up on several blacklists. Many servers automatically blocked emails ending with "uni-oldenburg.de". It took several days before it was possible to send emails again without any problems.
Another massive hacker attack that hit the university in the summer of last year showed that such attacks are not isolated incidents, but an expression of an ongoing threat. The IT experts only managed to fend off the attack with great effort and expertise. "Overall, we have got off relatively lightly so far," says Thorsten Kamp, who is responsible for security in the Data Protection and Information Security Unit. In theory, attackers who have hacked an account could cause a lot more damage. This is because the access data enables them to access all systems and servers for which the respective account has authorisation. In recent years, several universities have been paralysed for months in this way. The attackers encrypted data, blocked systems and made extortionate demands for money. "In many cases, it started with phishing emails," says Kamp.
To prevent accounts from being taken over by phishing in future, the Presidential Board has decided to introduce two-factor authentication. The large-scale IT project was launched at the beginning of March. "In future, when you log in to a system such as webmail, your ID and password will no longer be enough; you will need a second factor to prove your identity," explains project leader Ulrich Czernik. He is responsible for managing the user accounts of university members at IT services.
A work tool like an office key
Many people are probably already familiar with the principle behind this from online banking or other digital services: Where accounts are already protected by two-factor authentication, you usually end up at another barrier after entering your usual password. For example, you have to use an app, a stick or a biometric feature to confirm that you are the real owner of the account. "This prevents unauthorised persons from gaining access to data or functions simply because they are in possession of the password," says Czernik.
At the university, the second factor for all employees will be a so-called security token - either a kind of USB stick that you insert into your computer or a contactless transponder that you have to hold up to your tablet or smartphone when you want to start working. "Basically, this security token is just as much a work tool as an office key," says Czernik. A different solution is planned for students and guests of the university: They should be able to identify themselves using special software - an app on their mobile phone. "The combination of the two factors provides significantly greater protection against misuse," emphasises Czernik. The process is now state of the art.
However, the university's IT experts still have a lot to do before the project can get underway. At the kick-off meeting at the beginning of March, all project participants were brought on board - including representatives of the Divisions and Schools. The next step is to define the future authentication system in detail with the help of a consultancy firm.
Pilot tests in a special test environment
Pilot tests in a special test environment will then take place in the summer. The first systems to be converted are the webmail and VPN applications as well as the platforms konto.uol.de and pw.uol.de, which users can use to change their personal settings. "The VPN tunnel is particularly important because it can be used to connect to the campus network from outside," explains the project leader. At the same time, the IT services have to make some major technical changes to the system architecture in the background: Some services and systems that are currently organised as isolated solutions are to be converted to a central system. "In addition, we first have to make some older systems technically capable of accepting the second factor," reports Czernik. If everything goes according to plan, the new access method could be introduced step by step from autumn or winter.
The aim of the project team is to establish a solid standard that is as fail-safe as possible and at the same time make it as easy and convenient as possible for users - so that logging on to the computer remains as simple as unlocking a lock.
