Mandating LastPass at HKS is the Wrong Move

While LastPass is a tool to increase security, having everyone use it could compromise security and infringe on students’, faculty’s, and administrator’s privacy preferences.

LastPass Background

Before discussing the merits of making LastPass mandatory, it is important to understand the service that the organization provides. LastPass is a password management service. It generates, manages, and stores users’ passwords to various sites and requires users to remember just one “master password” to access the LastPass system. The organization also uses government-level encryption to protect users’ passwords and enables individuals to use the system both on their computers and their phones.

Security at Harvard Kennedy School

HKS’s products (including sites like Knet) have hundreds of users that are located all over the world. Moreover, the login information used to login to Knet is often used to access Harvard-wide services like myHarvard. The information stored in these services can range from mundane campus event information to highly sensitive financial and medical personal information. If someone can maliciously access another person’s account, they could not only gain access to this information but could also potentially compromise the entire university system.

Harvard University and HKS are subject to numerous technological attacks every year. The university has access to communications and information on people like faculty that advise influential policymakers and businesspeople. Also, Harvard students frequently go on to become powerful people in various industries and sectors. For these reasons, some third-party organizations and individuals target the university to obtain information.

Given these threats, Harvard University and HKS require robust and strong security policies and products. The school currently takes steps to protect users’ accounts. One instance is the mandatory use of Duo Security. This is the service that enables all Harvard-associated accounts to have two-factor authentication. Two-factor authentication means that once a user enters their username and password onto a Harvard site, they are asked to verify it was them that tried to login (usually via their mobile phone). This means that if a user’s password is compromised, the person trying to gain unauthorized access to the account should not be able to because they will likely not have access to the account holder’s second process of identification.

Reasons for Mandating LastPass

The argument for mandating LastPass across all Harvard Kennedy School accounts would be to strengthen user’s security. Despite HKS’ minimum requirements for a password’s strength, there are many ways for passwords to become compromised. Users could reuse passwords from other sites that have been compromised or use common passwords like names of loved ones or birthdays that can be easily guessed. LastPass would solve these cases by creating and storing unique complex passwords for each website with which a user has an account. With this service, individuals will not feel the need to have easy-to-remember passwords and other weaker sites’ failure will not compromise HKS.

Reasons Against Mandating LastPass

The primary reason not to mandate LastPass is that it would centralize everyone’s passwords. Having all the students’, faculty’s, and administrators’ passwords in one place would mean that bad actors trying to gain access to HKS users’ login information have one clear target. Once they have access to LastPass, they can attempt to log into any account. Under the current system, users’ account information is not centralized in any way outside of HKS’ system. The decentralization means that hackers may have to attack from multiple angles to access the system.

Making LastPass mandatory also makes HKS dependent on the system which could be financially difficult. While HKS currently pays for a premium subscription, it could decide one day that the service is too costly. At this point, if everyone uses the system, it could also be expensive (in time and human effort) to suspend service and have everyone transfer over their password information.

Finally, there could be students, faculty, or administrators that do not want to turnover information that a third party could reasonably use to access their accounts. If there are users that have these concerns and do not share their information, they would not be able to access crucial information related to HKS under the mandatory system.

Recommendation

Ultimately, HKS should not make LastPass mandatory. While the argument for mandating LastPass is compelling, it seems like a blunt solution on top of an already existing blunt solution. As Duo’s two-factor authentication is already mandatory, having another mandatory system on top of it seems to make the overall system less effective. Now, those looking to get access know the exact two places to look- LastPass and Duo Security. While both systems take measures to protect against attackers, it is a constant game of cat and mouse. One day, the attackers’ skills could be just greater than Duo’s and LastPass’ security systems leading to compromised accounts.

Additionally, the final point against mandating LastPass is particularly crucial. While HKS IT may be comfortable with the idea of using the service, its users with varying opinions may not be as comfortable. It would be inappropriate for HKS to force this service on its users. Mandating LastPass is different than mandating Duo. Users simply must provide a phone number to Duo for it to function. Users provide their telephone numbers to a variety of sources, so this will not cause alarm. However, because LastPass can have access to both a username and a password, it can cause more alarm in users. If there is reason to believe that there would be substantial protest from users, it would not be inappropriate to mandate using LastPass because it would preclude a group of users from crucial information.