ANU to go Passwordless
By Tom Kersten
ANU will soon transition to passwordless authentication throughout its online systems, with an initial interim period allowing for the ANU community to choose between existing log-in methods or the new passwordless system.
The University will use Cipherise, developed by Australian-based cybersecurity company Forticode.
Observer spoke to Nic Smelt – who is the Outreach Manager at the University’s Information Security Office – about this development.
When asked why ANU has decided to transition towards passwordless authentication, Smelt stated it was due to the threat environment including the risk of large-scale hacks. The belief that “passwords have had their day” and that now is the time to move on to new technology was also a factor.
“Globally, the online threat environment has become increasingly hostile. The prevalence of phishing is a good indicator of this,” Smelt said.
Smelt stressed that there is nothing to be concerned about, but that “cyber safety and security vigilance will be an ongoing concern … while an overused cliché, cyber defenders are in an arms race with attackers.”
“The immediate benefit from going passwordless is that we nearly completely deny phishing as a useful tactic against our community.”
Further, Smelt believes “passwords have never been a great form of security,”.
This is partly because passwords “are not human-friendly and force us end-users into engaging in unsafe practices.”
Given the multiple requirements to create a secure password, Smelt said “we all tend to engage in some sort of unsafe password behaviour.”
Once the interim period ends, all ANU users will be required to make the transition to passwordless authentication.
Smelt noted that the length of the interim period “will be determined by a handful of factors, including the rate of uptake.”
“A smooth user experience while going through the transition period is the main driver of our roll-out design.”
To use Cipherise, their app will need to be downloaded onto a phone or tablet. When logging into ANU services such as Wattle, a QR code will be displayed, which will need to be scanned using the Cipherise app. The user is then required to perform a biometric check, either using fingerprint or facial recognition, depending on the device’s capabilities. Once that is verified, the user will be logged in.
Should users not have a device by their side when wanting to log in, they are able to receive temporary 8 hour access to their account. However, this will require the user to call Cipherises’ Service Desk and answer security questions.
As the use of passwordless authentication requires a smart device with an internet connection, Smelt acknowledges that some members of the ANU community may not be able to access these requirements.
“We will be talking to stakeholders and support areas to determine the best mechanism[s] for ensuring that vulnerable members of our community are in no way disadvantaged,” Smelt said. Either way, Smelt urges students “Do not worry. Your community has your back”.
There are several passwordless authentication models on the market. Smelt said Cipherise was chosen “because they are an Australian company developing what we see as a uniquely innovative product … all of the infrastructure we are using for Cipherise/passwordless is located within Australia and under ANU control.”
Smelt believes the decision to work with Cipherise further fulfils “part of the ANU purpose by supporting and fostering Australian innovation.”
The University’s website said the adaption of this technology will provide “the ANU community with world’s best security and greater ease. Maximum security, minimum effort.”
Graphics by Mady Hall
Want to get involved? You can write articles, photograph, livestream or do web support. We’re also looking for someone to yell “extra!” outside Davey Lodge at 1AM. Apply today!