In recent months, ANU’s Information Security Office has rolled out a new passwordless approach to university login systems. The passwordless login system relies on multifactor authentication (MFA) via the Cipherise app, developed by Melbourne-based cyber security startup Forticode.

The adoption of MFA for university logins (such as Wattle and student email) comes as part of an overhaul of ANU’s cyber security following a significant system breach in late 2018, according to the university’s Information Security Office. The hack involved the exposure of 19 years of data by an unknown assailant and has prompted a large-scale effort to strengthen defences against cyber security threats.

The Cipherise MFA system was rolled out to university staff over a year ago and has since been made optional for students. At ANU, Cipherise currently has approximately 20,000 users, including 50% of current students and 80% of new enrolments. According to the Information Security Office, the University will eventually mandate MFA for all ANU students and staff.

MFA login involves the initial mobile phone scanning of a QR code on a login page, followed by a prompt to authenticate the user with biometric recognition or by entering an alphanumeric code provided. A unique signal is then sent to unlock the page once authentication is successful on the user’s mobile device. The Information Security Office stresses that the ANU does not collect biometric information (facial or fingerprint). The University expects MFA to make logins both more convenient and more secure for the ANU.

In June 2022, the Information Security Office hosted an explanatory Passwordless Town Hall to outline the purpose of the program and answer questions from current and future users.

The townhall was presented by Liz West (Program Director for the Information Security Office), Suthagar Seevaratnam (ANU Chief Information Security Officer), Nic Smelt (Outreach Manager of the Information Security Office), Peter Raven (Project Manager for the Passwordless project) and Tony Smales (CEO of Forticode).

The presentation began with a discussion into the drawbacks of passwords, which were described as insecure and difficult to manage.

The multifactor authentication method was described as the addition of ‘something you have’ and ‘something you are’ to the login process. In this case, you have your phone and you are your biometric signature. Seevaratnam added that MFA can still be breached in some cases. In order to avoid breaches it is recommended to fully utilise MFA on university accounts and use passwords or biometric security on personal phones.

In further discussion with Woroni, Seevaratnam explained that threat actors want to harvest credentials to either use or sell. He stated that MFA is best practice for protecting the credentials and information of university students and staff from these threat actors.

The rollout of Cipherise as an MFA system relied on consultation and feedback from users, according to Seevaratnam. The initial opt-in stage allowed the Information Security Office to act on the large amount of constructive feedback received, to adjust and better integrate the system.

The introduction of Cipherise is part of a “broader identity uplift” of ANU’s cyber security and is hoped to decrease the number of login times per service and abolish the need to remember passwords.

A number of students have previously expressed concerns about the accessibility of MFA, especially the expectation that students have a phone with biometric capabilities. Seevaratnam stated that acquisition assistance is available for any student or staff member in need of a compatible smartphone.

Students with a genuine hardship issue or medical or accessibility constraints which hinder the use of Cipherise on a smartphone can contact Student Administration for a solution. He also added that the MFA works with any phone running on a recent IOS or Android system including a tested phone which was the cheapest available from a local supermarket.

While students on the whole seem to understand the need for greater cybersecurity, many have shared concerns about the process and distraction of the smartphone integrated MFA system.

Undergraduate student Bita Mahani said “While I appreciate the accessibility benefits and reasons behind the changes, most of the time I end up just putting my password in because my browser does it for me. It is more effort to get my phone out and scan the code.”

Fellow undergraduate student Angelina Inthavong stated that she never uses the Cipherise app, which she finds frustrating. “Isn’t it the point that you don’t need or use your phone when you study?”

A postgraduate student shared similar frustrations with having to use their phone to login to Wattle while trying to focus on study.

It is currently still possible to login using a written username and password without the Cipherise app’s MFA. However, it is expected that no bypass to the MFA will exist in the near future once testing and feedback collection is complete.

The Information Security Office encourages feedback and contact with the dedicated help desk for anyone having issues using Cipherise. Guided sessions are available for anyone facing difficulties setting up or using the Cipherise app for MFA logins.

The help desk can be contacted using the email: servicedesk@anu.edu.au.

According to ANU’s cyber security team, the passwordless login program is the safest and easiest option in the wake of the recent major cyber-attack and “abounding” breaches at present.

Seevaratnam told Woroni that the university has planned significant developments in ANU’s cyber security over the coming months and years.

In the event of a personal cyber security breach, contact the Australian Cyber Security Hotline (1300 CYBER1 or 1300 292 371).