Demoting multi-factor authentication
I started teaching at Facultad de Ingeniería, UNAM in January 2013. Back then, I was somewhat surprised (for good!) that the university required me to create a digital certificate for registering student grades at the end of the semester. The setup had some not-so-minor flaws (i.e. the private key was not generated at my computer but centrally, so there could be copies of it outside my control — Not only could, but I noted for a fact a copy was kept at the relevant office at my faculty, arguably to be able to timely help poor teachers if they lost their credentials or patience), but was decent… Authentication was done via a Java applet, as there needs to be a verifiably(?)-secure way to ensure the certificate was properly checked at the client without transfering it over the network. Good thing! But… Java applets grow out of favor. I don’t think I have ever been able to register my grading from a Linux desktop (of course, I don’t have a typical Linux desktop, so luck might smile to other people). But last semester and this semester I suffered even to get the grades registered from Windows — Seems that every browser has deprecated the extensions for the Java runtime, and applets are no longer a thing. I mean, I could get the Oracle site to congratulate me for having Java 8 installed, but it just would not run the university’s applet! So, after losing the better part of an already-busy evening… I got a mail. It says (partial translation mine):
Subject: Problems to electronically sign at UNAM We are from the Advance Electronic Signature at UNAM. We are sending you this mail as we have detected you have problems to sign the grades, probably due to the usage of Java. Currently, we have a new Electronic Signature system that does not use Java, we can migrate you to this system. (...) The certificate will thus be stored in the cloud, we will deposit it at signing time, you just have to enter the password you will have assigned. (...)
Of course, I answered asking which kind of “cloud” was it, as we all know that the cloud does not exist, it’s just other people’s computers… And they decided to skip this question.
You can go see what is required for this implementation at https://www.fea.unam.mx/ → Prueba de la firma (Test your signature): It asks me for my CURP (publicly known number that identifies every Mexican resident). Then, it asks me for a password. And that’s it. Yay :-Þ
Anyway I accepted, as losing so much time to grade is just too much. And… Yes, many people will be happy. Partly, I’m releieved by this (I have managed to hate Java for over 20 years). I am just saddened by the fact we have lost an almost-decent-enough electronic signature implementation and fallen back to just a user-password scheme. There are many ways to do crypto verification on the client side nowadays; I know JavaScript is sandboxed and cannot escape to touch my filesystem, but… It is amazing we are losing this simple and proven use case.
And it’s amazing they are pulling it off as if it were a good thing.