Two-factor authentication is coming to your phone (or other device)

As I’m sure you know, the internet is an increasingly dangerous place, and the most frequent source of compromised computers is people responding to phishing emails. The Security office at C&IT is working 24/7 to keep track of phishing and block people’s access to bad sites, but unfortunately it is just not enough, so C&IT is about to introduce two-factor authentication for certain WSU websites.

The danger with phishing is that people will log into websites that are not what they seem to be, and input their credentials (AccessID plus password) . The bad guys running the phony websites then take those credentials and use them to log into sensitive Wayne State sites, like your bank direct deposit setup page, where they redirect your paycheck to a bank of their choosing. And yes, this has indeed happened recently to Wayne State employees. They also use those credentials to install bad stuff on your computer, which they then use to attack other computers within Wayne State.

Since people are easily fooled into clicking on things they shouldn’t, we’re also combating the problem from our end, by beefing up security on certain Wayne State websites—pages within Academica, like PayStub, Direct Deposit etc. We are introducing what is called ‘two-factor’ authentication. (The current system is ‘one-factor’ authentication, where you simply type your password, which is ‘something you know’ into a box). Two-factor authentication adds an additional layer of security by having you touch ‘something you have’1. Wayne State has contracted with Duo, a nationally-known Ann Arbor-based company to implement this additional layer.

How does it work?

If you have a smart phone (iPhone, Droid, Windows phone) you can download a free app on the device, and go through a simple registration process. You get the app in the usual way (from the App Store/Google Play etc., by searching for ‘Duo’). You go through a one-time set-up process, and after that, when you log in to the sites that WSU has protected through Duo, your phone will pop up an ‘Approve’ or ‘Deny’ button:

Duo on iPhone

If you push ‘Approve,’ Timesheet, Pay Stub, and a few other websites, such as native Banner2, will open up. There are additional wrinkles that can simplify your interaction with Duo–you can read about them here.

The process for other flavors of smartphone is the same. See here for Android and scroll down on this page for other devices.

If you would prefer not to use Duo’s app, you have many other choices. You can choose to receive a text message and then type that number into the website, or a phone call (where you can just press # as a response). And there are other ways to do it too. Details can be found here.

If you don’t want to use any device (smart phone, tablet, flip phone, computer) there are other ways to log on (contact the C&IT Help Desk for additional information).

For much more detail on how this works, go to our FAQ.

Many universities and other organizations with sensitive websites that everyone needs to access are moving in this direction. Normally it only adds one or two seconds to the time it takes to log on to Academica or Banner (C&IT employees have been using Duo for a few months, based on the cutely-named  notion that we should ‘eat our own dogfood’).

As always, if you have questions you can contact the Help Desk, or you can add a comment below–I always read and respond to comments.

_______________________________________________________________________________________________

1 You can read about this way of classifying security methods on this website.

2 Technically you will need Duo whenever you access ‘Self-service Banner’. This includes facilities you access from Academica such as Pay Stub, Time Sheet, Direct Deposit, tax forms etc. In short, to get to any page within Academica that looks like this:

Self-service Banner image

 

Pokémon Go—the best thing since sliced bread (or Tinder)

By now you’ve undoubtedly heard about Pokémon Go, the ridiculously popular new phone app based on the Pokémon franchise. In the relatively new development space of augmented reality it blends fantasy characters with the real world. It uses your phone’s GPS and superimposes Pokémon[1] on a map, like this:

Near CIT

This is a screenshot taken outside my office, standing next to I-94 at Woodward.

It was released last week and is now more popular than Tinder, and is rapidly catching up with active users of Twitter. Since I’ve only just begun playing I can’t report a great deal about what it does (there are various kinds of critters that you can ‘capture’, and there are ‘gyms’ where you can have fights (the platform-like object in the image above is a gym at the church across the street from the main C&IT building at Woodward and 94), and I’m told there’s one near the Science and Engineering Library. In addition there are ‘Pokespots’ all over campus, including one inside UGL.

Here is an excellent, if a little snarky, introduction to the whole thing.

The social fall-out from Pokémon Go has been quite astonishing. There are stories of folks making friends through the app (which is perhaps why it’s surpassed Tinder 🙂 ), and a few cases of accidents of various types. Apparently, in the space of a week some folks have started playing a NSFW[2] version. There was originally a security issue because the first version of the app was able to access all your Gmail contacts if you had an iPhone, but an update has assigned appropriate security levels.

There is going to be a Pokémon Go event here in the Cultural Center on Friday.

So it really seems to be ‘a thing’, and probably worth learning more about. I haven’t yet had a chance to wander around looking for Pokespots yet, but probably will. Don’t forget to be very careful if you are walking around holding your phone. There are two dangers:

  1.  Apple Picking
  2. Immovable objects

In the end, have fun. And let me know what you think. Is this the greatest thing since Twitter? Or a flash in the pan?
_____________________________________________________________________

[1]  Since I’m a linguist you’re gonna get some linguistic commentary here too. Like several other words borrowed from Japanese (emoji, for example), purists insist that the plural is unmarked (that is, that you don’t add an ‘s’). This is analogous to those who insist that ‘data’ is plural and that the correct plurals are ‘stadia’, ‘podia’ and ‘octopi’. Or perhaps it’s analogous to the animals that have what we call ‘zero plurals’, like ‘sheep’ or ‘deer’.

[2] ‘Not safe for work’. You can probably figure out why, given that the game uses your phone’s camera, which can take selfies.

The latest on the Apple-FBI Battle

Last week I noted that the FBI claimed that they were only interested in this one iPhone, and the claim that that they had no intention of using this case as a precedent was clearly not true. This was because they were already using the same request to get into a number of other iPhones.

Yesterday a Federal judge in the New York Eastern District ruled against the FBI in a similar case. The judge ruled that the Government’s expansive use of the ‘All Writs’ Act (passed in the eighteenth century) did not include the ability to force Apple to write new software to break the ‘nine strikes and you’re out’ feature of older iPhones — the feature that prevents multiple tries at guessing passwords.

It’s almost certain that this case will eventually end up before the Supreme Court, as it places the reliable security of our mobile devices in conflict with the government’s desire to search them. The FBI claims that they will be really, really careful with these tools, but the mere fact that they exist means that they will leak. Here’s a somewhat radical comment on that likelihood.

Go here for a comprehensive guide to all the issues.

Tim Cook and the FBI will testify before Congress this afternoon.

Thoughts and tips on using Academica

Academica has been the University’s official portal for a few days now, and the Feedback section has been filling up with likes, dislikes and assorted comments. I’ve combed through the comments so far and have a few thoughts I’d like to share.

Appearance

First, there is the notion of a ‘portal’. In contemporary computing terms, a ‘portal’ is a webpage that leads you to facilities that permit you to do stuff. It’s different from an organization’s ‘website’, which is a webpage that allows you to find out stuff. So a portal should be interactive, while a website should be like a reference work (an almanac or a phone book, or even an encyclopedia).

Categorization

So, most of the links that appear in Academica are either interactive (‘see my paystub’, ‘check my grades’, ‘search for a journal article in the Library’) or lead to interactive links (‘Benefits and Deductions’).

Of course, some lead to other portals, such as the link to the IRB in the Office of Research, and a few are there even though they are static, simply because of popular demand (‘Campus Map’, ‘Research Compliance’), but the principle distinction was between ‘doing things’ and ‘finding out stuff’.

Finding stuff

If you want to use Academica as your portal for everything, you can use the search box at the top and select (with the drop-down arrow) to search the WSU Website, where you can find anything that is searchable (parking structure maps, English major requirements, General Counsel’s office) on the wayne.edu domain.

Appearance

A number of folks commented on the visual appearance (some in less than complementary terms), and seemed to think Pipeline was more visually appealing—an opinion I’d challenge, myself. However, the main reason Academica looks the way it does it that it was designed from the ground up to be easy to use on any device, and particularly to be easy to use with smaller devices, like phones and tablets. It actually detects the size of your display and customizes itself automatically. The reason for this is that increasing numbers of us use mobile devices as our primary means to access the electronic world. A recent study showed that ninety percent of Wayne State students bring smartphones to their classes, and now they can use their phones to check the status of their bursar’s account, or their final grades, and employees can check their paystubs (I just checked mine with my iPhone 5s in three ‘clicks’).

Why did we do this?

Pipeline is at the end of its development cycle–the company that made it is no longer supporting it. That makes it like a car whose spare parts are unavailable. It could keep running, but if it broke suddenly it can’t be repaired. C&IT decided it was better to replace it before that happened, and our local app-programming gurus built something for the twenty-first century. In addition to being usable on all devices it is very adaptable. It will not break a sweat if twenty thousand students check their grades all at once. Those who used Pipeline over the years know that it tended to roll over if demand got heavy. Academica is pretty resilient and should not do that.

A New Wayne Connect is Coming

Many of us received a message from C&IT today announcing the new Wayne State email system, which will be called Wayne Connect – Powered by Microsoft. There are a number of new features that everyone will be happy about, and this blog is intended to highlight several of them.

OneDrive

First, everyone will have a personal storage, collaboration and sharing tool called OneDrive. Some of you may use this already, and it’s very similar to competitors such as Dropbox and Box. It has the advantage of being much more secure, but has all the features that have made these tools so popular—you can share specific files with specific people (ending the need to share large files by emailing them), or with groups (making collaborative writing tasks much easier). OneDrive comes with 50GB of storage for all users—way more than the 12 GB we have now.

Skype for Business

The new system also comes with Skype for Business, which is an IM client, but also allows for audio and even video conferencing (if you have a microphone and camera on your computer).

Email, calendars and address books

But, of course, Wayne Connect is also an email and calendaring system. You will have the choice of using the web-based client, which will be very similar to the current Wayne Connect Zimbra-based system (or Outlook 365, if you use that). Alternatively, you can use (or continue to use) the desktop Outlook program instead, or in addition. In fact you can use any email client, including the ones on your phone or tablet, or Mac Mail, or… Each one has advantages and disadvantages. The desktop version allows you to import .ics calendar files, so you can import appointments from, say, Tripit or OpenTable. The web-based version is of course available wherever you can get access to a browser.

What you don’t need to do.

All your current Wayne Connect files will be moved into the new system over the next few months, so all your back email and old appointments will be there, as will your address book, so you don’t need to do anything to keep all that stuff.

What you do need to do

There are a few small wrinkles in some corners of the system. If you use filters they won’t transfer, so you’ll have to rewrite them, and you’ll need to recreate your signature file(s) and any file permissions you might have set up.

If you use Briefcase you’ll need to move all your files into the main folder—any additional folders you might have created won’t transfer.

These details can be found here

Help us help you–participate in the ECAR survey

Many WSU faculty (50% of them, to be precise) have been receiving requests to take part in a national survey of faculty attitudes towards technology at the university. The survey is being run by Educause, the national educational IT organization. This is the second year this survey has been run, and last year’s survey produced some interesting results about faculty interests and desires around everything computing-related.

Last year’s results, which are available in ‘infographic’ format here:

http://net.educause.edu/ir/library/pdf/ers1407/eig1407.pdf

Some relevant findings from last year:

  • Nationally, fewer than fifty percent of faculty are satisfied with IT support for research.
  • Opinions on the use of smartphones in class are mixed, with about half of faculty banning or discouraging them and only a third encouraging or requiring laptops (I myself don’t see how I could ban smartphones, and I’ve taught classes where laptops were required because we were all learning how to use some online tool).
  • Many faculty feel they could be better at using web-based content and online collaboration tools in their courses, but there was less enthusiasm about social media as a teaching tool.

There are two versions of the survey, one that takes about twenty minutes to half an hour, and another that takes only ten minutes. Whichever one you choose, your participation will be greatly appreciated, and will help C&IT plan our investments for the next couple of years.

Look for a reminder and your personalized invitation to join in the survey tomorrow. If you don’t get one, you’ll be asked to participate in a more general survey of IT satisfaction that all other faculty, staff and students will take part in later this semester.

Blackboard is getting more mobile

Blackboard has released the free version of their mobile app. Previously it came with a small charge, but the latest version is free for all WSU faculty, staff and students. It’s available for both major platforms, iOS and Android, in the usual places (iTunes App Store and Google Play Store). Your students can use it to check their grades and assignments, view documents and web links, and create discussion and blog posts. Instructors can also post announcements (handy if you’re snowed in or forgot to mention something in class), create and edit assignments (although not grade them), email your class or create new discussions.

To get it, just go to the relevant store and search for Blackboard Mobile Learn. Once it’s installed, open it and log in using your normal Wayne State credentials (yes, it’s safe–it goes directly to Blackboard).

Some FAQ’s about what you can do with it are here

Replace Pipeline with Academica in your Bookmarks, soon

Pipeline is about to be replaced with a totally new, social-media-oriented website/portal called Academica. It is device-agnostic, which means it works with all computers, all tablets and most smartphones (something people have been requesting for almost as long as there have been smartphones).

It’s also smart itself. It remembers the tasks within the system that you use most, and bubbles them up to the front page so that most common tasks are always one click away. For example, if you’re a faculty member it will put Download Classlists and TravelWayne up front and center, but if you have to approve timesheets that link will be right there as well. In general most tasks should be no more than one, or at most two clicks away.

It also comes with a built-in messaging system that is similar in features to Twitter. It allows you to use hashtags (#hashtag) and mentions (@GeoffNathan). There will be streams associated with a number of common topics of discussion, as well as streams for departments and one for each class being taught.

Academica is still being developed (technically it’s in beta), but you’re welcome to try it right now. Just go to academica.wayne.edu and log in as usual. You will have the option to switch to exclusive use of Academica (instead of Pipeline), but there is always a button available to switch back to the old Pipeline interface if you need to.
Since it’s still under development, C&IT is looking for feedback, which you can send by writing to academica@wayne.edu, or by going to http://computing.wayne.edu/academicafeedback .

The official roll-out will be some time in the fall, but feel free to play with it now. Who knows, you may never want to switch back to Pipeline. Academica and Pipeline will both be available at first, but Pipeline will be shut down in the 2014-2015 academic year when we are confident that Academica can support all of our campus needs.

Here’s a preview of what the interface looks like, showing only the links part:

Academica Links Section

Celebrate National Cybersecurity Awareness Month by Protecting your Smartphone

OK, so NCSAM isn’t your favorite time of year. But if you were to lose your smartphone, and you hadn’t been careful with it, it would very definitely be your least happy time. And it’s not just the annoyance of having to get a new one, and reinstalling all that stuff…

For many of us, most of our life is accessible from our phones–from dates with our sweeties to bank account access to plane tickets–even blood pressure tracking and lists of meds. How much of that would you like to share with a phone thief? And make no mistake, Wayne State, like everywhere, is a good place for ‘Apple Picking’ (swiping a phone from someone’s hand while they are holding it out and looking at it).

What can you do? There’s a good website that C&IT provides. But the most important thing you can do is to lock your phone. Both iPhones and Android phones can be locked so that you need to type in a PIN before you can do anything other than call 911 (or, in the case of iPhones, take a picture). It’s mildly annoying, but you can set it so that the lock doesn’t take effect for some specified time, say fifteen minutes. That way you can reopen your phone right after you’ve closed it, if you’re like me and forget why you opened it in the first place, and only remember after you’ve closed it again.

In my next post I’ll talk about how you can remotely wipe your phone, so that even if someone breaks into it, they won’t find anything.