CAS Watch

Virginia Tech’s Central Authentication Service, or login, is a single sign-on service for authenticating users on Virginia Tech websites. It is based on the open-source federated SAML provider, Shibboleth. Rather than filling in a form with a PID password on every website, users enter it once on; the user is then provided an authentication cookie to present to websites. This has several advantages, namely:

Due to the presence of a campus-wide LDAP server, the complexity of SAML, and several requirements for applications that use login, it is often easy for lazy system admins to setup LDAP authentication. Fortunately, this service does require two-factor authentication, but the UX is complicated and kludgy; enough that we suspect more admins will shift to using login.

The new system, replacing CAS, has Two-factor authentication support provided through DUO Security. A user logs in once on, and can authenticate to all websites for a certain period.

Duo Push

The Duo application recommended for 2-factor has several privacy concerns: namely it provides phone operating system version and patch status, and a list of apps installed, presumably associated with PID, to the Duo administrators in central IT. This doesn’t even delve into the issues with using a phone as a second factor—while push notifications are more secure than SMS or phone calls (which are easily spoofed or re-routed), they don’t compare to one-time passwords or hardware tokens.

Public Shaming

The following services do not use Login as of the time of writing:

Note that the majority of them do use the 2-factor LDAP directory, and some of them also restrict access to “on-campus” users.

Best Practice Recommendations

System administrators should always use the Login service for web applications that need to authenticate Virginia Tech users, and train users to never enter a PID password on a webpage that is not If it is not possible to do so, services should at least force TLS for all connections.

Unfortunately, the presence of so many legacy applications often means that users do not have the ability to avoid giving their PID password to non-Login websites.

For end users, we strongly encourage the use of TOTP via google authenticator or a desktop app, or a hardware token (e.g. a yubikey) in place of the Duo app and phone calls.