Soon you’ll only be able to log in to your UAntwerp account with multi-factor authentication (MFA). That means you’ll need to perform an extra step after entering your username and password. ‘This extra layer of security is absolutely needed. To avoid last-minute surprises, we recommend already activating the system right now,’ says the ICT Department.
Sadly, cyberattacks are becoming increasingly common, with hackers constantly developing smarter methods. ‘Not a day goes by now without a big organisation or company being hacked. It’s not even breaking news any more,’ says Geert Mertens Head of the ICT Helpdesk. The attack that hit the city of Antwerp late last year is still fresh in our minds. The damage still hasn’t been fully repaired to this day.
In 2019, our university was also hit by a cyberattack, but fortunately the damage was relatively limited. Security was then tightened further. ‘Among other things, we then introduced a mandatory renewal and annual password change. And we started a campaign to raise awareness about IT security,’ says Geert.
And now you’re stepping up security even further with the introduction of MFA. Why is logging in with a username and password no longer enough?
Geert: ‘The problem is that many people use the same username and password for all kinds of different accounts across the web. If this password is cracked on a poorly secured website, that data can then be used to log into the UAntwerp system. Another risk is phishing emails, asking people to enter their password on a fake website.’
Wim Meul, Systems Director within the ICT Department: ‘Many passwords don’t even require cracking, as they’re so easy to guess. On the internet, you can even find long lists of commonly used passwords.’
Geert: ‘Just one careless click, for example activating a macro in Excel, can cause your device to become infected. In such cases, MFA provides extra security even when your password is hacked.’
What are the risks if your login credentials are stolen?
Wim: ‘For one thing, there can be major consequences for you personally. As a researcher, you could lose all your data, or important information could be leaked. But it goes beyond that: if you work in finance or human resources, for instance, hackers can get their hands on a lot of sensitive information.’
Geert: ‘They can even contact other employees while impersonating you, making it fairly easy to find out their login details, too. The consequences can be disastrous. A possible doomsday scenario would be a cyberattack that we can’t abort in time, crippling the entire university. That would seriously damage our reputation. Not to mention the cost. Because even if you don’t pay a ransom, just repairing all the damage takes a lot of time and money.’
Wim: ‘Cybersecurity is getting more and more attention, and for good reason. The European Union, through its NIS2 directive, will mandate the use of MFA in all government organisations from September 2024.’
What exactly is MFA?
Wim: ‘Multi-factor authentication or MFA is a method of ensuring that a person logging in with a username is in fact that person. Several factors are used, including something only you know, like your password, and something only you have access to, like your phone or tablet. What often happens is that you get a numerical code via text message or through a dedicated app, or you receive a phone call and are asked to press the pound sign. Another possibility is a physical security key, which you plug into your laptop, and then you enter the PIN code. We recommend activating multiple options to avoid unpleasant surprises, for instance if you don’t have your phone on you.’
Geert: ‘But in case of emergency, you can always request a temporary code from the helpdesk.’
Is logging in with MFA required every single time?
Wim: ‘Not on an ICT-managed device, no. You’ll only have to do it every so often: every 28 days on campus, once a week elsewhere in Belgium, and once a day abroad. But if you use your own device, you’ll have to use MFA for every single application, like your mail client, Teams, your browser …’
‘Just one careless click, for example activating a macro in Excel, can cause your device to become infected. In such cases, MFA provides extra security even when your password is hacked.’
Geert Mertens – Head of the ICT Helpdesk
Geert: ‘We realise that MFA makes life a little more difficult, but that’s simply the price we have to pay for extra security. It’s all about striking the right balance between security and convenience. The risk if things go wrong is just too great.’
When will the new login system be rolled out?
Wim: ‘We’ll be communicating extensively about MFA throughout October, and then in November it will become mandatory for all staff and students. We’ll be rolling it out gradually across departments and faculties so that our helpdesk doesn’t get swamped.’
But end users don’t have to wait until November, then?
Wim: ‘Certainly not, we highly recommend switching today. It only takes 15 minutes, and it’s better to be prepared than to find yourself suddenly unable to log in at a really inconvenient time, like during a lecture or right before an important meeting. In July, we launched a call to activate MFA in the Pintra newsletter, and almost 150 employees have already started using it. Indeed, many employees had been asking for MFA for some time. Sometimes it’s also a prerequisite to get a certain project funded. At the ICT Department, we switched to MFA more than half a year ago.’
Some people are more tech-savvy than others. Won’t the helpdesk get swamped with calls in November?
Wim: ‘There’s certainly that risk. That’s why we want to ask everyone to please carefully read the manual on Pintra first before calling the helpdesk. And remember, our university is a very diverse environment when it comes to equipment. Whatever the type of device you’re using, you can probably find another staff member or student who uses it. At the ICT department, we don’t know every device inside and out either.’
Geert: ‘But of course the helpdesk will be more than happy to assist anyone who really can’t figure it out themselves.’
Wim: ‘This applies to any staff member or student who can’t get it to work properly, for whatever technical or practical reason. We’ll find a solution together.’
Was it a big challenge for your department to prepare the rollout of MFA?
Wim: ‘Oh, yes. For one thing, we had to ensure that pretty much all applications are contained in our login portal. Any application that’s not hooked up to the portal is like a back door that remains open. That was quite a complex undertaking, which took a long time.’
Does the new login system guarantee that no one will ever touch our data?
Geert: ‘Unfortunately, it’s not that simple. You’ll still have to be careful and take basic precautions, like never opening an attachment from an unknown sender. After all, elaborate phishing schemes could manage to circumvent MFA. Compare it to home security, if you will. A fantastic lock on your front door is utterly useless if you leave the back door open.’
What’s the next step? A system without passwords?
Geert: ‘That’s right. MFA now uses something only you know and something only you have. In the future, a third element will be added: something only you are. That can be face recognition or a fingerprint, as is already the case with Windows Hello.’
Wim: ‘We’re currently considering a scenario where you don’t even need a password any more. We plan to start offering that option on ICT-managed devices sometime next year. The world of cybersecurity is changing rapidly, and we want to keep up with the latest trends. We’re doing everything we can to marry safety and convenience.’