Skip to main content

Purdue's Two-Factor Authentication System, BoilerKey

BoilerKey—Purdue’s attempt at two-factor authentication. Not only was it not well-thought through, but ITaP also offered very little support for it, all while forcing it on all students and faculty on the same day. Typically, two-factor authentication is a very helpful feature. However, Purdue’s implementation of it has served to not only confuse students and faculty but also has reduced security in some ways. By using PIN,push, the complexity of your password is significantly hindered, from at least 8 letters/numbers/symbols down to only 4 numbers.

In almost any other implementation of two-factor authentication, users have an app on their phones that generates six-digit one-time passwords. These are used in combination with your pre-existing password. When logging in, you enter your username and password like usual and then are prompted to enter the six-digit one-time password. This serves to add to the existing security. Although this is only anecdotal evidence, it seems to me like I’ve received significantly more spam emails from clearly hacked Purdue accounts, after BoilerKey was implemented.

With BoilerKey, users are asked to replace (but not entirely, more on that later) their password with a flimsy, four-digit PIN. In addition, all people must do is tap a notification on their phone, instead of purposefully opening an app. In the defense of BoilerKey, this is easier than opening an app and typing in the six-digit one-time password. However, this may also serve to reduce security, as most college students would just instinctively press the “Allow” button without thinking. The nice time-saving measure is quickly nullified, however, as you must use BoilerKey every time you log in. With most other two-factor authentication implementations, you’ll stay logged when using the same device.

This brings me on to my next point, which is that BoilerKey isn’t ubiquitous across places where your Purdue Career Account credentials are used. Some platforms use it, and others don’t. For example, logging into your email or a campus computer doesn’t require BoilerKey, but logging into most other products do. This is very confusing for users, as Purdue has not made it clear where we need to use BoilerKey and where we need to use our normal career account password.

In conclusion, BoilerKey has been a big disappointment to many and has seemingly managed to make the phishing problem on campus worse than it already was, despite its goal to do the complete opposite.

Comments

Post a Comment

Popular posts from this blog

Is Experience Architecture The Future of Professional Writing?

As a team of Professional Writing students, our mission is to discover how the Professional Writing major is evolving and share how and why experience architecture is making its way to the forefront of the field . It is our hope that readers of this blog — whether they might be current students, past students, prospective students, or professors — learn the ins-and-outs of the major and begin to see how the worlds of writing and design intertwine.  Professional Writing is currently a fairly popular major among universities, but one of the most interesting things about the field is that it’s always evolving. So what is the Professional Writing major anyway? When it comes to a major like this one, there isn’t a set plan of study among universities. In fact, the course requirements and the definition itself differ from school to school. Because of its natural diversity and constant evolution, Professional Writing doesn’t exactly have a clear future. If design and usability are becomin...
Post a Comment
Read more

One Purdue and the Employee Launchpad

Before the pandemic began, I was able to easily clock in and out of my on-campus job by swiping my Purdue ID card. Now, however, I have to clock in online through One Purdue and the Employee Launchpad. I often do this from my phone via the mobile website. Frustration led me to choose One Purdue for my expert analysis because I was often unable to accomplish my task. The mobile website often failed by not loading or giving an error. The options shown on One Purdue were also inconsistent, and I often couldn’t locate the Employee Launchpad before my shift began, even though it is the only application I have ever consistently used. In response, I decided to analyze One Purdue’s desktop website. In my findings, I have found that the desktop website is only somewhat better than the mobile one. Beginning with One Purdue’s weaknesses, there is simply too much going on. All of One Purdue’s 73 applications are included under the “Most Popular” category with very little information to distinguish...
Post a Comment
Read more

Think “Experience Architecture”

At the beginning of this class, we were assigned readings and videos about airports in order to conceptualize the main theme of the course, experience architecture. Experience architecture is the design of spaces (architecture) for users (experience), such as an airport. In de Botton's work, "A Week at the Airport," de Botton addresses a doubt about experience architecture that sheds light on the scope in which the concept applies. "Standing before costly objects of technological beauty, we may be tempted to reject the possibility of awe, for fear that we could grow stupid through admiration...[and] yet to refuse to be awed at all might in the end be merely another kind of foolishness. In a world full of a chaos and irregularity, the terminal seemed a worthy and intriguing refuge of elegance and logic." (de Botton, 2009, p. 3-4). Simply put, experience architecture is design that is meant for the experience of the user. De Botton communicates this through an exp...
Post a Comment
Read more