10/10/18 Boilerkey Graphic

Since the initial implementation of BoilerKey to Purdue's online login pages, reactions have been mixed. However, junior Ben Scholer has created a workaround. 

Through a Chrome browser web extension add-on, obtainable through the Chrome web store, works to bypass the two factor authentication originally created by ITAP. The Computer information technology major started working on it as soon as Boilerkey was released. 

The extension works by inputting a user's Duo mobile URL from the initial setup process.   

While Scholer believes two-factor authentication is important, it's the way in which ITAP implemented BoilerKey that led him to create the extension. For example, the "pin,push" change to a user's password was described as "outrageous" by Scholer. 

Generally, according to Scholer, a user would input their normal username and password, login, and then asks for a six digit code that a user would then get from their phone or other device. 

"There's just a lot of parts of it (BoilerKey) that are like, really just kind of makes me cringe at least from a software standpoint," Scholer said.

The original framework came from a forum post on the Purdue subreddit, a small community of Boilers on the popular social media, reddit.com

"Somebody posted on the Purdue subreddit a Python script that he wrote that basically generates those six digit codes for you on your computer," Scholer said. 

However, in order for the script to work a user would have to run the script each time they would want to log-in, proving to be a longer process than using the Duo mobile app on a smartphone, Scholer said. Instead, Scholer took the script and rewrote it in Javascript, a web development programming language, and turned it into a Chrome extension. 

As of today, 283 people have downloaded the extension onto their devices, according to Scholer. Some users were so satisfied with the extension they even sent messages of praise to Scholer. 

"This guy said, 'Props for making this plugin, BoilerKey is gross,' Scholer read aloud. 

"'You are a beast. Thanks for looking into this,'" another user said. 

While even Scholer's professors have commended him on his initiative, ITAP warns users to proceed with caution. 

"ITAP is aware of it (the extension) and has not yet determined all the security ramifications of it. It may expose your account data and you should be cautious about using it," Greg Kline, IT Communications Manager, said. 

Scholer admits the extension reduces security "somewhat", but it doesn't do so by that much because it still utilizes two-factor authentification, but uses your computer as the second device as opposed to an actual second device, such as a phone. If a user were to log into a computer on campus and open Google Chrome, the extension would need to be reinstalled. 

"You feed it that link, and then with that it hits ... Duo's servers, gets a code, and then using an open source algorithm that you can just download, look up, whatever, it uses that code and generates a six digit (set)," Scholer said. 

Even if you opt-in to give the extension a username and password, Scholer said, it stores that information locally on the computer. 

"I'm not collecting any of your data," Scholer said. It's not going anywhere but it is sitting right there in plain text on your computer."

ITAP still warns users of the possible consequences of bypassing two-factor authentification when it comes to BoilerKey.

"It provides an extra layer of protection for Purdue's network and the data stored on it," Greg Hedrick, Purdue Chief Information Security Officer, said.  "That includes students' personal data that, if compromised, could be used for identity theft. Purdue is under constant attack, as is any large institution with a significant computer network and a lot of stored data. When you bypass BoilerKey, you make it more likely some of those attacks may succeed to your detriment and to the detriment of everyone else at Purdue."


Recommended for you