To be or not to be… digitally safe: Mandate LastPass at The Fletcher School of Law and Diplomacy

This article is written as an assignment for HKS Class DPI 662B: Digital Government.

Source: James Kainth

Is our digital presence safe?

As an added layer of security, starting in July 1, 2018, Tufts University mandated all staff, faculty, and students across all its campuses in undergraduate and graduate institutions, including the Fletcher School, to use the Duo-Mobile operated Two-Factor Authentication (2FA) system to decrease the risk of account identity theft and receive a security verification alert on the user’s device of choice in the event their password was used to enter into a Tufts-affiliated website. However, given the challenges of the COVID-19 pandemic wherein most of our work has been migrated online and working from home has become the rule rather than the exception for some, the Fletcher School in particular is susceptible to cyberattacks because its students, faculty, and staff do research in international security, law, and politics. As such, they are targeted by a variety of bad actors. Many of us are working at home all with the help of our personal devices, i.e. laptops, mobile phones, tablets, and smartwatches. This inevitably means that sometimes a document containing sensitive information can be stored in the personal cloud, which may be easier to infiltrate as one’s Gmail cloud most likely does not have a 2FA system.

Currently, Tufts IT merely recommends a list of password managers; it is not provided as a utility by Tufts and there is certainly no mandatory compliance for users to make use of password managers. There is no equivalent form of “digital insurance” other than password management systems if information gets leaked or a hacker extorts the individual for money or information. LastPass can integrate with the Tufts 2FA system that is already in place and offer strong passwords with protections that will be very difficult to hack. Therefore, mandating the use of the industry’s best password manager, LastPass, is made.

Why should we care about security and privacy at Fletcher?

Below is an analysis and assessment for cyber-security planning and threat modeling that may be faced by the Fletcher students, faculty, and staff:

Sources: Student hacked class grades; Security Cards: Security Threat Brainstorming Toolkit and Security Starter Pack: Assessing Your Risks

A great number of Fletcher School students, faculty, and staff work on research projects for the United Nations, World Bank, and foreign governments, which are highly sensitive and oftentimes controversial in the realm of international relations — — The research may pertain to civil liberties and surveillance in China, the role of force and coercion by Saudi Arabia in the Middle East, to the transatlantic migration flows through Mexico and border wall disputes — — the divulging of such research could be the downfall of the individual. The list of adversaries may vary between different individuals, i.e. students, faculty, and staff. For example, the threat to faculty doing research that negatively highlights one country is different from threat to staff doing school events. Therefore, thinking from the point of view of a potential attacker, it will be important to delineate the level of threats associated with the attacker’s resources, motivations, and methods to carry out an attack.

Key considerations for adopting LastPass

Pros:

§ The user (student, staff, faculty) only has to remember one master password, i.e. for LastPass, and LastPass can suggest very strong passwords on your behalf, which will be stored in a secure “digital vault” => hackers tend to exploit users with weak passwords as it is much more difficult for a hacker to exploit a flaw in a website (it is very difficult for a hacker to hack a website but relatively easy to gain access to someone who has a similar password for their bank account as they do for an Ikea account)

§ LastPass is much better than built-in browser password management systems like Google Passwords which use the auto-fill feature, which is risky. LastPass can also store answers to security questions which web browser-based password management systems cannot store

§ LastPass uses AES 256-bit encryption system (industry’s highest security grade which is also used by U.S. military and very difficult to de-encrypt) and a zero-knowledge management technique (their own encryption process prevents them from gaining access to a user’s digital vault of passwords); although LastPass faced some security intrusions of its own on some occasions from a small number of attackers, these attackers were not able to view the encrypted passwords and had to rely on phishing attacks and malware to gain access but the security vulnerabilities were resolved within hours

§ LastPass is managed seamlessly between devices like smartphones, laptops, and tablets

§ LastPass will remember passwords for smartphone apps; the password manager can draw over apps to fill in passwords

§ The cost of LastPass premium enterprise services will be borne by Tufts and could include family members in the plan too

Cons:

§ LastPass can automatically fill in passwords on browser pages and this may be problematic because this opens up password managers to attack. It is safer to copy and paste the password directly from the LastPass digital vault to the website requiring the password but the user may be too lazy to do that; instilling good digital etiquette by integrating this component in student orientations and staff/faculty meetings would be a good work around

§ The burden of liability is unclear if password security is breached (is it LastPass? Fletcher? Tufts?) especially for personal digital assets that were protected, rather than only the professional, Fletcher-affiliated assets

§ There may be a low compliance and uptake for LastPass as compliance is difficult to enforce, especially among older members (e.g. professors emeritus) which may make LastPass a costly investment for Fletcher; though there are very few of such older members

§ LastPass cannot be used in all countries but the user can bypass that through a VPN. If it’s a free VPN, then the user may be opening themselves up to more malware and ransomware; given that a large number of Fletcher’s international affiliates are spread around the world, this may be an issue but an enterprise account tailored specifically to Fletcher could be resolve this issue

§ LastPass cannot be used offline and needs internet connectivity; this may be problematic for users doing fieldwork in post-pandemic settings

Hypothesis and Implementation

In spite of some minor flaws, most security experts agree that password managers are highly recommended given that the average user has 100+ passwords in today’s interconnected world. The economics of security suggest that the marginal benefits derived, far outweigh the marginal costs of having a password manager. Having more users sign up for LastPass means it can detect and thwart system vulnerabilities more easily, given the different context and breadth of user experiences. The stronger the password, the lower the risk of being hacked. However, Fletcher and Tufts need to delineate to students, faculty, staff if they can continue using LastPass after their departure from the school and if they can migrate the accounts in their personal name.

In order to test the hypothesis that mandating the use of a password manager does not present significant inconveniences to Fletcher members, we can test by initially mandating only the students continuing in the Spring 2021 semester to use LastPass first. They have a more diverse demographic mix (by age, ethnicity, geographic location). With a smaller sample size to test upon, we can test uptake and usability of LastPass in agile way. As the spring semester begins in late January 2021, we can require the students to comply with signing up for LastPass by placing a hold on registering for their classes until they sign up. Students would have until mid-February to sign up. LastPass will be integrated across all student data infrastructures including SIS, Canvas, Tufts Box, OneDrive, myFletcher, and more, which are already protected by the 2FA system — — across the board, personal and professional data will be kept secure.

To understand the Minimum Viable Product of LastPass during the beta testing phase, i.e. user receptiveness to the usability, functionality, reliability, and design to the password management service, we can administer online surveys with the intention of collecting a response rate of about 40 percent. These online surveys will be emailed to users via social list and official announcements, as well as pop-up messages on myFletcher.

Moreover, during this beta testing stage, Fletcher can also ask its big sibling, the Harvard Kennedy School, to share their institutional expertise and knowledge on pros and cons of LastPass as it is readily provided to all their students, faculty, and staff.

Based on a representative sample size of customer satisfaction reports, if 50 percent or more of the student body agree that they are enjoying LastPass, we can then implement a full roll-out of LastPass among all Fletcher and Tufts students, faculty, and staff in Fall 2021.