[jcrawfordor]

It's kind of hard to follow the moral stance here. The university is apparently a Microsoft 365 customer. The objection of the students here seems to be that... They are being required to use a Microsoft product in order to access a Microsoft product? It's hard to understand how 2FA is the thing that crosses the line, when the university has already entrusted Microsoft with everything else.

And as they say in the letter, MS Authenticator (which is not even really a 2FA system but a passwordless authentication product, likely the best on the market right now) is not even mandatory as SMS is also an option. Setting downsides of SMS 2FA aside, they are not actually being required to use proprietary software, but instead seem to have bundled two mostly unrelated concerns together. I mean, they're objecting to having to share their phone number with MS... In order to access their email that MS hosts. The privacy boundary they're making this stand over is just a very strange one.

TOTP isn't really a drop in replacement either, as MS Authenticator is intended to protect against a couple of classes of attacks that TOTP doesn't, most importantly 2FA interactive phishing, which TOTP remains vulnerable to. Following the Okta attacks a number of organizations have prohibited TOTP, as interactive phishing of TOTP tokens is becoming pretty common such that TOTP 2FA is no longer substantial protection against this extremely common attack vector. FIDO is another good option but frankly the usability of FIDO remains very poor and it produces a much higher volume of support issues than app-based interactive verification.

[TuringTest]

>It's kind of hard to follow the moral stance here.

Fighting for civil rights often makes you look like a prick, because you keep laser-focused on your goal and need to counter all the reasonable-sounding objections of people who were following their daily routines before this ball-breaker came along; but it is nevertheless necessary.

Contrary to Hollywood films, people don't stamp on other people's rights because they have some inner impulse to do evil, but because injustices are ingrained in the common way to do things, and fixing then implies to deviate from those routines; that's why it's so hard to change them.

That's the real meaning of the sentence "for evil to triumph, all it takes is for good people to do nothing". The movie script of a hero taken the matter in their hands and saving the world with heavy guns is but a fantasy

[throwaway2056]

> Fighting for civil rights often makes you look like a prick, because you keep laser-focused on your goal and need to counter all the reasonable-sounding objections of people who were following their daily routines before this ball-breaker came along; but it is nevertheless necessary.

you are correct. All true.

But there are no easy to implement groupware, open office, email, chat suite. Yes, in hn you can say zoho or sogo or libreoffice. While I totally use OSS, it is a pain for Universities to find talent to implement this at scale.

Also a majority just use MS products and want compatibility. This is similar to tons of devs doing OSS dev but using MacOS (and using VM or remote ssh) as they want their devices to run for 12 hours on battery.

Some European universities tried going open solutions - this patchwork either failed or some even got hacked.

At the end, there are no easy solutions. I sincerely wished some one like Linux foundation implements a total OSS solution based on nextcloud to build all integrated suite to compete with G-suite or MS.

[counttheforks]

The problem is being required to install Microsoft spyware on your personal devices

[daviddever23box]

...to access non-free software or services. That is patently ridiculous and philosophically inconsistent.

[daviddever23box]

This seems somewhat overblown, inasmuch as the use of proprietary, closed-source productivity applications developed in the United States is itself an a priori compromise of eFSF values.

Email is a thankless, dirty business (ask anyone that has ever done an Exchange migration), and there is no incentive for the University to necessarily use and maintain a persistent free software-based email backend. It would be a better outcome to allow students the ability to use their own, personally-chosen communication services and devices, with the caveat that this might exclude some students or faculty from accessing resources that are under the control of commercial partnerships.

Stop putting your hand in the meat grinder and turning the crank. It IS possible to live the FOSS dream; just stop whining that non-FOSS software and services have left you behind-it's not their directive to do so.

[clnq]

I think it’s more fundamental than this. They do not want their education to be conditional on having MSFT software on their phone, or handing over personally identifiable data like their phone number to a big tech corp.

But the students were further aggravated by the incompetence of the university. There’s a bit in the articles and emails about how easy it was to hack into their infrastructure despite 2FA efforts. Together, these things (and some of the published emails) seem to show the university is stubborn and incompetent. Which is where students and VGTU seem to clash as well.

The university staff should have just enabled TOTP, or at least offered some reason to believe they generally knew what it was. Given the university claims to be specialised in tech, it is a reasonable expectation. Instead, their technical staff demonstrated a front line tech support level understanding.

It seems like those are the fundamental problems the students are surfacing.

[yjftsjthsd-h]

In no particular order:

* O365 doesn't require installing anything on your local device.

* SMS 2FA is less secure.

* Personal phone number is in a separate privacy domain from work/school email.

[nsajko]

> The objection of the students here seems to be that... They are being required to use a Microsoft product in order to access a Microsoft product?

The objection is that they're being required to compromise their security, either by installing Microsoft's spyware or enabling SMS 2FA.

[Brian_K_White]

Security of what though? MS email and onedrive. I don't get it either, unless the critique isn't actually limited to the 2fa app.

[counttheforks]

The security of their personal devices on which they must install Microsoft spyware and accept it's terms, before being allowed to complete their education.

[Brian_K_White]

Ah ok. The 2fa isn't the important part, nor the service, it's the fact that it's an app of any kind that they otherwise would not choose to install on their personal property, and shouldn't have to in order to do something like simply be in school. I completely agree with that.

I'd say if the school isn't willing to modify their server configs to allow generic 2fa, they should be obligated to provide devices to run that app if they really insist on that app alone. Then maybe with that choice they might decide it makes more sense to reconsider simply having one admin do about an hour's research and setting some service options.

[coffeeling]

TOTP phishing? Like, MITMing TOTP requests or something?