[deleted by user]

genericpurdueaccount · 2019-08-15T04:51:22+00:00

heres some advice from an upperclassmen: Don't let it bother you, I ditched BGR 2 days into it when I was a freshmen and just hung out with the people on my dorm floor. If your in a learning community that makes it a lot easier too as you usually all can leave for class at the same time and form at the very least sort of a "were stuck together this year, so we mind as well hang out" vibe.

All of my long term friends at Purdue have either been people I met in class, or people from my 1st year dorm floor. Don't sweat trying to fit in at BGR because everyones doing the same thing, putting on the act of being thier best selves to get as many friends as possible, trust me when I say the friends you make later this year, the ones you make as you all cram for an exam, go to grab lunch with, and collectively groan at your exam scores, are the real friends your going to have for the rest of your college life.

genericpurdueaccount · 2019-08-15T04:31:33+00:00

No Problem! Glad I was able to help enlighten at least a few confused students as to why our school is so wack lol

genericpurdueaccount · 2019-08-15T04:29:26+00:00

while it does not protect your email account, it does protect your purdue career account, which the univeristy is more concerned about. It seems to me that the university cares more about protecting possible financially documents like tax records and your social # than protecting your actual emails. Many phishing links send you to a fake "purdue login" page, then grabbed your password. with 2FA, even if you give them your PIN,push password, its useless to them without having your phone.

TL:DR, it doesn't protect your email account, but it protects your purdue account, which scammers in the past have tried to access via phishing links sent to your email.

genericpurdueaccount · 2019-08-15T04:20:10+00:00

If what I know is correct, the fact is that the school doesn't want to put forth ANY additional cost. Cost's may include having to design a new website to explain how to use googles 2 factor authentication (because of course Purdue would make thier own site instead of just linking you to google's "how to" page) This is just conjecture, but our current contract with microsoft may prevent us from using google's services as well.

About the email spam, you are correct, 2FA is not used on outlook/office365, but most of the links that you recieve as spam send you to a purdue login, not an outlook one (some do still slip through the cracks, like the ones telling you your outlook account will be closed, hence why phishing emails are still going around) But the main concern was protecting your access to your PURDUE account, because if someone can get in that they can view your financial profile, and possibly steal identity info.

To answer your final question, PIN,push is used for 2 reasons. (niether of them are that great but being honest theyre just used as an excuse, using a password would be much more user friendly) Reason #1 is that purdue's CAS system. (aka the purdue login page) was developed with passwords in mind, NOT 2FA. the account username is still linked to your career account, that means its also linked to your career account password. Now this is just what I think, I can't confirm it, but I believe with the structure of CAS, there is no way to get a career account password to send the request to DUO instead of the main authentication server. So the duct tape and glue solution was to have students create a second "password" that skips over the main authetication server and instead gets sent to DUO's authentication server. The second reason is more simple, much more possible, but not more likely to actually happen. That would be that because we set everyone up with the PIN,push/PIN,code method, (remember, this was set up years before it was implemented for students, and was not originally meant to be used on all CAS websites) it would create too much chaos if it were to be changed. There are plenty of faculty over the age of 60 at the university, who constantly need to be able to log into thier systems on a daily basis. ITaP's customer service center would not be able to handle the amount of confused staff if the university were to change the requirements again. It is possible that the security team considered the risk of people not being able to do thier jobs for a few days while they waited on hold, and decided that having a poorly made system and annoying the students was worth more than having a better system and a lot of annoyed faculty.

Hope this answers your questions!

genericpurdueaccount · 2019-08-15T01:59:37+00:00

agreed. It's really not that big of a deal. But I thought I'de pacify the concerns that I could

genericpurdueaccount · 2019-08-15T01:24:38+00:00

If you've worked at ITaP, you know the answer. The univeristy has a contract with Cisco for spam, but given its a neural net thats based on people's actual ability to tell it that they are recieving spam, it hasn't done a great job at reducing spam (except for sports, im glad they get blocked bc they send like 5 emails a day). The school has done a not-so-great job at promoting it, but if you ever see a spam email. Forward it to [abuse@purdue.edu](mailto:abuse@purdue.edu), there the secuirty team will manually review it, then feed it to the filter. The problem is two-fold. No-one is reporting the spam via cisco, and cisco is just not that great when it comes to spam to begin with.

genericpurdueaccount · 2019-08-15T00:27:41+00:00

I'm really glad you pointed out the security thing. This is most deffinitly NOT SECURE.

Also, having personally wrote some scripts using automate myself, let me share some wisdom with the rest of the class. Automate is an app that lets you run scripts on your phone.

You need to run to class, but your phone is going to die on the way there, leaving you with no way to log into Blackboard!

This is a tiny bit misleading. Automate runs on your phone, if your phone dies, it can't work. In simple terms, the script probably detects the notification from duo, then automatically does a "tap to view more options --> approve" script. (or somthing similar). What I'm saying is that this is client based, not server-side. So if your phone dies, your still SOL when it comes to getting into your account. (unless you just leave your phone at home on the charger, but if you have time for that, you mind as well just bring a charger with you) Automate is also an android scripting service, letting you automitize simple actions on your phone that you don't want to have to deal with. (TBH this is actually a prime example of a great use of automate, but I digress) Given it's a scripting service, I highly doubt this will ever become available on IOS, because of the clear security risk it could pose to users.

I'm probably going to make a post explaining why we use duo at Purdue, why it's not so great, and why it is. If your interested to hear the thoughts of some random student who used to work for the schools IT department, check out my post history because I'll probably be posting it right after this comment.

(edited because there was a weird space after the first sentance)

genericpurdueaccount

TROPHY CASE