Can a university require me to use hardware authentication to pay bills?

Question

I am a graduate student at a university in California. The university is planning a policy change which will require me to use a "hardware token" (a little device which generates one-time passwords) to login to any university online resources, including the services which allow me to view and pay bills. I find this rather concerning, because I often find myself needing to access university resources at unpredictable times, and I cannot guarantee that I will have the hardware token available when I need it. Do I have a legal grounds for complaint?

It seems to me that if it were legal to require people to use hardware tokens for accessing and paying bills, then everyone would do it (e.g. banks). But it is quite unreasonable to expect people to have hardware tokens for every service they use.

To be clear, I'm not proposing to sue my university, only to complain and encourage them to provide alternatives to the hardware token.

Answer 1

There is little prospect for suing over this measure. The university has a legitimate interest in verifying that access to online systems is only granted to authorized users, and simple passwords are considered to be insufficient. (I don't intend to argue about password technology, I'm just making the observation that two-factor authentication is better than single-factor authentication). I have not encountered this requirements in US banks yet, but I have encountered it in Norway where an online transaction always requires with a password and a code generated by a gadget of the type you alluded to.

I surmise that your university mandates that all payments be done online, which means that you must have access to a computer in order to pay a bill. It is not reasonable to expect people to have a computer that is connected to the internet at all times, but it is reasonable (and often done, by universities) to expect people to be able to so connect some of the time. So likewise, it is not reasonable to expect that people will have their authentication gadget available at all times, but it will be available some of the time, and thus there is no insurmountable impediment to paying the bill (or accessing the library, or reading email...).

These gadgets do, however, potentially run afoul of ADA, but presumably they know that and can make accommodations.

Answer 2

I'm pretty sure any judge is going to give them broad leeway to the business to self-determine the manner in which they secure their electronic systems.

Where your argument disintegrates (or coalesces) is what may be blindsiding you: There's more than one way to pay a bill. Or there ought to be.

The court system is an entity that runs on paper. And it runs on physical service. The court is going to have zero sympathy for the argument (from the college or a millennial) that "online is the only way to pay a bill". That will be seen as an idle preference and certainly not court enforceable.

I mention this because this is the perspective from which the Court will see your problem:

For over a century, the normal way of doing billing is for a business to mail a paper bill (typically once a month on specific dates) and grant 20-30 days for the recipient to pay it by postal mail. The time is for postal transit both ways, and to allow the customer to gather his mail and sit down and pay bills at sane intervals (e.g. twice a month). If you look closely at e-bill mechanisms, you'll see they are abstractions of this.

As such, taking a 15 day sabbatical isn't a problem - just check your mail and pay every bill you have, then do it again promptly on return. You can extend this to 45 days if you know what bills you are expecting. Not knowing which bills to expect is a bit alarming!

If you overpay a service bill such as a gas or insurance bill, the money is still yours. It is carried as a credit on your account, and applied to future bills. The college should do exactly the same thing. (I only pay my gas bill about once a year.)

Also, once you become a student and enter normal billing, it's likely the bill comes due after you've started the service. That makes it a debt. Cash is legal tender for all debts public and private which means the university cannot refuse.

So -- the questions that will come up in court:

• Why can't you act within the normal billing cycles (as I describe above)?
• Why can't you pre-pay expected bills (again as I describe above)?
• Why are you frequently being caught by surprise by bills (are you not aware when you contract services)? This makes you look oblivious.
• Why can't you receive bills by paper mail and pay by check? (no 2-factor authentication).
• Why can't you walk into the billing office, ask for a printout of your bill, and drop off or mail a check or cash?

I don't think you'll have credible answers for those questions. If you do, I'd say you have a case.

Answer 3

As a graduate student at a UC school, you are a private customer of business run on behalf of the State of California. Given private contract law and the general framework in the USA and California, I think they can require that customers pay bills by using two factor authentication as there are not any laws that explicitly forbid it.

In general, to sue you must have standing and show damages. I don't see how the risk of forgetting your hardware token rises to an actionable claim. Until you have shown damages, I don't any reasonable claims here. I'd expect the courts to ask if it was as sound and reasonable policy and dismiss the claim.

Your second paragraph doesn't follow. Setting up two factor authentication costs money, so not every origination would want to do it. It can be cheaper to either pay the costs from authentication fraud or to move the risks and costs to someone else. See how the credit card industry deals with this. Credit card holders have little to no liability on stolen cards/numbers (bank makes you whole). Also note that many credit card companies will make the vendor that took the card pay them back for the bad charges if the vendor can't prove the charge was from the actual card holder.

Also, FYI, suing on cases like this are expensive and a distraction. There are many better ways to solve problems than to sue your school because you are worried that the security policy it too tough. Have you talked to anyone in the school administration about this issue?