An increasing number of services and universities require edu-ID users to verify their identity with an additional factor in a process called Two-Step Login or Two-Factor Authentication.
One year ago, about 5% of all users had enabled this secure login method. As of today, this number has tripled to 15% of all 930’000 edu-ID users.
This is great news from a security point of view and has led to the following two changes that were introduced end of August 2023.
1. Reduced Usage of SMS as Second Factor
The SWITCH edu-ID currently supports two methods as second factor: SMS and TOTP (Authenticator App). While the use of SMS messages as second factor is still quite common for other services – and works also with older mobile phones -, we have recommended for quite some time to move away from this method.
We want to reduce the usage of SMS as second factors for these three reasons:
- The delivery of SMS is not always reliable.
Especially to foreign countries the delivery does not always work or only with quite some delay. As operators of the SWITCH edu-ID service we use several SMS providers but we cannot control the delivery to the end users in a satisfactory way. - The delivery of SMS is not very secure.
There has been numerous proofs that SMS messages can be intercepted using cheap electronic equipment. Therefore, relying on SMS as security factor is risky, even though we don’t know of a case where SMS token have been intercepted in the context of edu-ID. - The delivery of SMS is very costly.
When SWITCH edu-ID introduced the Two-Step Login in 2018 with SMS, usage was very low. Nowadays ten-thousands of users have enabled SMS as second factor. Each login with SMS costs a few Rappen. The monthly costs for sending SMS has become a pain point. Especially considering the two above-mentioned disadvantages: We pay a lot of money for a less secure and less reliable second factor.
For the reasons above, we slightly modified the user interface to enable the Two-Step login: The SMS option is not shown by default anymore but only if one clicks on the link “I cannot use an authenticator app”. This is shown in the screenshot below.
With this small change we hope that less people use SMS as second factor.
Mobile Number to Recover Account
With the increasing number of users who enabled Two-Step Login, the number of support cases grew considerably. People loose their phone, delete the app that generates the TOTP codes or they don’t remember which app they used to generate those codes. Therefore, roughly a third of all tickets of the edu-ID service desk involve resetting the Two-Step Login for end users. This process is very time-intensive, costly and at times frustrating for all involved parties.
Therefore, a few months ago a mechanism was introduced that allows users to reset their Two-Step Login on their own if they had a (verified) mobile number in their account. In spite of the above-mentioned security implications of SMS, we think that the self-reset mechanism based on username/password and a one time code sent to the verified mobile phone number, is secure enough.
This self-account recovery with a mobile number has worked quite well and it frees capacity of the support team. Therefore, we decided – like Google, Facebook, LinkedIn and others do as well – to ask the user to provide a phone number for the recovery of their account. When one now enables the Two-Step Login with TOTP, the user is asked during the setup process to additionally provide – and verify – a mobile phone number. Currently, nobody is forced to provide a this information, as this step can be skipped.
Our hope is that most users will provide their mobile phone number, which can make their life easier in case they loose access to their app codes because they then can recover their account on their own.
Outlook
In the next few weeks additional changes regarding the Two-Step Login will be introduced . On one hand, Passkey/WebAuthN is currently being tested and hopefully soon introduced. On the other hand, there will be a mechanism that allows organisations to enforce security policies for their users when it comes to authentication.
You will read more about these two topics soon on this blog.
