🔒️Upcoming Change: Passwordless Login for Instructors🔒️

RyanJaress
RyanJaress Posts: 356 Udemy rank
edited April 18 in Community News

Hey instructors,

In the coming days we are going to change the way you log into Udemy. As it stands, you are asked to enter your email address and password followed by a MFA one-time code, which is sent to your email which you need to validate in order to access the platform.  

Our goal is to reduce the number of steps it takes you to log in while also improving the security of our platform. That is why we are going to roll out passwordless authentication for our instructors, which is currently live for our learners. 

What does this mean for you?

  • You will no longer be asked to enter your email & password followed by an MFA, instead, you will be asked for your email and an MFA code only
  • There will be no need to remember passwords to log in* 

What's the benefit of this?

  • Less friction for you as we are removing authentication steps
  • Improved security for Udemy as passwords are generally weak and targeted by bad actors 
  • A stepping stone towards more enhanced security measures which Udemy would like to implement, such as SMS, biometric and/or passkeys authentication 

* The email/password flow will remain active for some time as a fallback when needed.

Teach on,

Ryan

Comments

  • EBodhisathva
    EBodhisathva Posts: 59 storyteller rank

    Hi,

    This change is more annoying. Every time we need to login to 2 apps to complete what is supposed to be a single login process. How is it better than just typing email and password?

    We haven't seen this kind of strange model anywhere else.

  • Rahul Iyer
    Rahul Iyer Posts: 408 visionary rank

    Nice, thanks for the update @RyanJaress :-)

  • LizBrownUX
    LizBrownUX Posts: 99 specialist rank

    So we still have to check our email to get a code every.single.time….?

  • peter_dalmaris
    peter_dalmaris Posts: 84 storyteller rank

    Thank you Ryan. Perhaps looking into Passkeys will reduce friction further.

  • HenrikJohan618
    HenrikJohan618 Posts: 21 traveler rank

    @RyanJaress

    Could the new proposed user-register solution create the possibility of serious arbitrary security breaches at Udemy?

    For example; https://news.ycombinator.com/item?id=18939221 (Hacker News) "On the topic of old email addresses, make sure your old email provider doesn't release your email address after so many years / months. This is a common way to get access to accounts by creating a new email account with the same address as an expired address and then using an email-based password reset to gain access to the account."

    "This is really a big problem since one is forced to keep old addresses active and around. But your email provider, even if it’s a paid service, may have stupid policies to recycle addresses very soon and may not make exceptions for you."

    Problem example description:

    Larger instructor accounts may have 10k-10M registered users. Udemy has a recent history of security breaches, disgruntled employees, employees causing the company damage, serious complaints about employees related to code and functionality, and hackers even docking the Udemy site, creating their own Udemy site on top of Udemy and collecting the paid monies.

    A. If a "hacker" were to obtain such an instructor's client database with emails, it could simply check if the emails are active with a simple loop and try to register new emails wherever the email is bounced or not delivered. Even if 5% of the mail addresses are recycled, the new system results in a serious textbook danger to all instructors as the hacker could cause arbitrary damage to the instructor and Udemy.

    B. Some old email history stats from a larger US e-mail deliverer show that emails tend to become inactive at around 10% per year. Few addresses remain active after 5 to 10 or 20 years.

    Customer example description:

    A Family likes Apple, 4 people buys 6 new AppleID devices per year. While Apple certifies that no original iCloud addresses for AppleIDs are ever recycled, they also provide every AppleID account with 3-1k iCloud aliases. These aliases are recommended for use with inter alia Udemy or any businesses or any internet activity nowadays. For these aliases, Apple certifies no promise or contractual binding, implicit or explicit, that states that aliases won't be recycled, reused, or reactivated if abandoned or permanently deleted, as often happens when a new AppleID device is purchased, such as a computer, iPhone, tv, or iPad. (Apple is considered a very safe, high reputation email provider).

    Proposed solution: the Password option should remain and also be enforced. And while e-mail could be made sufficient to login to an account using the proposed solution, making any changes should require a password.

    Regards

  • FrankKane
    FrankKane Posts: 1,947 rolemodel rank

    Ryan said "The email/password flow will remain active for some time as a fallback when needed." Maybe they already know which instructor emails are bouncing, and are retaining password authentication for those cases.

    There's no evidence that our email addresses have been compromised anyhow, but I suppose anything's possible.

  • AHardin
    AHardin Posts: 599 visionary rank

    I'm not the biggest fan of passwordless authentication, but it works and it seems many online apps and services are moving towards that direction with OTPs, magic links, QR code authentication, etc.

    I think the biggest drivers for Udemy doing this is are:
    1) User convenience: The 73+ million students no longer have to remember passwords.
    2) No more Password-Related Tickets: Removes the burden of dealing with password reset issues, and inevitable service desk tickets for people with password-related issues.

    So long as your devices with access to your email accounts and your email accounts themselves don't get compromised, you're fine - but the moment they do, your account can get compromised.

    I've been using it with my Udemy accounts (student and instructor accounts) for awhile now without any issue. But I'd prefer traditional MFA with both my password and a OTP (at least for instructor accounts) because the risk landscape for instructors (especially the largest accounts who make 5-figures monthly) is much higher than for students. And for sensitive account changes, I'd hope Udemy now implements a secondary authentication process, such as changing your instructor account's bank and tax information.

  • FettahBen
    FettahBen Posts: 94 storyteller rank

    You try to shorten the process but making it logger, I remember one time after login from my phone using password and asked for confirmation, i didn't have access to my email and i need to power on my laptop and check the email password from my ROBOFORM software to confirm login,

    IF you didn't add password in Udemy you add it in your email provider.

  • CarlosDeLeon
    CarlosDeLeon Posts: 902 visionary rank

    • "You will no longer be asked to enter your email & password followed by an MFA, instead, you will be asked for your email and an MFA code only"

    What method will be used to deliver the MFA code to the instructor? I don't mean "some day", I mean right now that the change is going to go live for instructors.

    I hope it is not email, otherwise, it does not make any sense to mention this as a benefit:

    • Improved security for Udemy as passwords are generally weak and targeted by bad actors 

    At the moment, if the email account of an instructor gets compromised (which is not rare. Email is not secure), at least the attacker needs to know something else (the Udemy account's password). How does removing that second measure without improving the MFA delivery method improve security?

    I don't know of any serious company that delivers MFA tokens by email, and now Udemy is making that the only factor used to authenticate?

    Come on.

Categories