University of North Texas Collects Social Security Numbers for Multi-Factor Authentication

As part of its security framework, the University of North Texas (UNT) is rolling out DUO. DUO is a personal device approval system for accessing university leased software-as-service offerings. From a business point of view, if the University needs to verify or limit the use of leased licenses to only registered (qualified) individuals (at the behest of the software leasing agency, or in consequence to possible greater financial liability) then the approach makes sense. Duo falls under a broad category of multi-factor authentication (MFA) tools. Some user must use two communication tools to access some knowledge or digital service. MFA is seen as a "best current practice" in the security field. However, it is, from a user's perspective, perhaps the most annoying addition to our lives. It presumes that one has not only the computer that is trying to access the service but also that the person has a cell-based mobile device, and that that device is currently connected to a larger network. It is not clear to me that DUO is not actively recording and reporting other neighboring bluetooth devices as facebook's apps have been reported to do. That is, the security leak that DUO has the potential to be is perhaps just as much as the risk to networks with single factor authentication. The exact technical nature of DUO's "verification" process are not transparent. I have been using DUO at the University of Oregon for over a year.

The UNT process of rolling out DUO requires that potential users enter their US social security number (SSN) into the website during the verification process. This bit of personally identifying information seems to be over-reach or poor information architecture. The UNT web-application collecting the information does not explain to the user:

  • how the SSN is processed (why it is needed), or
  • how it is stored, or
  • when they will dispose of the information submitted on the form.

A student's SSN is part of the federally protected student information and is in general a valuable piece of information to have. Requesting the SSN via a website after a student has already been admitted to the University seems like it opens the University up for a targeted attack on that particular web application. This process put the SSN in the realm of data-in-transit where previously the SSN was only data-at-rest. The clever attacker would not try to spoof DUO or access the UNT network, but rather sniff the data in transit as it is communicated for the purposes of creating an authentication system. Reporting my SSN for the process of creating a DUO account was not necessary when I made my DUO account at the University of Oregon.

When I called the UNT IT office to ask about this I was put in a hold que by an automated answering service and then the automated service terminated the call without a response from me.