Virginia Tech’s Central Authentication Service, or login, is a single sign-on service for authenticating users on Virginia Tech websites. It is based on the open-source federated SAML provider, Shibboleth. Rather than filling in a form with a PID password on every website, users enter it once on login.vt.edu; the user is then provided an authentication cookie to present to websites. This has several advantages, namely:
- Users and system administrators do not need to manage separate accounts on individual services
- Individual websites do not need to handle user credentials directly, thus greatly reducing the attack surface.
- Users are trained to only use the official login site, which makes phishing attempts more difficult.
- Services automatically gain the benefits of the university two-factor authentication requirement
Due to the presence of a campus-wide LDAP server, the complexity of SAML, and several requirements for applications that use login, it is often easy for lazy system admins to setup LDAP authentication. Fortunately, this service does require two-factor authentication, but the UX is complicated and kludgy; enough that we suspect more admins will shift to using login.
The new system, replacing CAS, has Two-factor authentication support provided through DUO Security. A user logs in once on login.vt.edu, and can authenticate to all websites for a certain period.
The Duo application recommended for 2-factor has several privacy concerns: namely it provides phone operating system version and patch status, and a list of apps installed, presumably associated with PID, to the Duo administrators in central IT. This doesn’t even delve into the issues with using a phone as a second factor—while push notifications are more secure than SMS or phone calls (which are easily spoofed or re-routed), they don’t compare to one-time passwords or hardware tokens.
The following services do not use Login as of the time of writing:
- Computer Science Resources Consortium - Student Résumé Upload
- CS Web-CAT
- CS Moodle
- CS Gitlab
- ECE CEL Validation Queue
- ECE SWEL Validation Queue
- ECE CVL Account Maintenance
- ECE OpEL Validation Queue
- ECE Gitlab
- Fleet Services Fleet Commander
- Housing Systems
- LaundryWeb/CS Gold
- Parking Services Customer Authentication
- Post-graduation Survey
- VT Calendar
- Web Hosting Departmental Admin Tool
- Web Hosting Organizational Admin Tool
Note that the majority of them do use the 2-factor LDAP directory, and some of them also restrict access to “on-campus” users.
Best Practice Recommendations
System administrators should always use the Login service for web applications that need to authenticate Virginia Tech users, and train users to never enter a PID password on a webpage that is not login.vt.edu. If it is not possible to do so, services should at least force TLS for all connections.
Unfortunately, the presence of so many legacy applications often means that users do not have the ability to avoid giving their PID password to non-Login websites.
For end users, we strongly encourage the use of TOTP via google authenticator or a desktop app, or a hardware token (e.g. a yubikey) in place of the Duo app and phone calls.