Main Nav

Hi.  NYU is doing a bit of investigation that will likely lead to piloting use of
2-factor authentication for selected services and/or users in the coming year.  It 
would be helpful for us to get some quick, current snapshots of where other institutions 
are with respect to implementing 2-factor.  So if you feel inclined, could you answer 
these questions (and add any other comments you wish)?   If there's anything to 
summarize back to the list, I'll certainly do so.

Thanks - Gary Chapman, NYU / Identity Services

1. Name of institution

2. Are you using 2-factor authentication at your institution?

3. If not, do you have plans to do so in future?

4. If you are using 2-factor...

    a) how broadly?  for specific applications, for specific audiences?

    b) what vendor are you using?

    c) what technology are you using for your 2nd factor (card / phone / etc)?

5.  Advice?  Warnings?  Comments in general?


Comments

On 12/18/2013 9:49 AM, Gary Chapman wrote:
Hi.  NYU is doing a bit of investigation that will likely lead to piloting use of
2-factor authentication for selected services and/or users in the coming year.  It 
would be helpful for us to get some quick, current snapshots of where other institutions 
are with respect to implementing 2-factor.  So if you feel inclined, could you answer 
these questions (and add any other comments you wish)?   If there's anything to 
summarize back to the list, I'll certainly do so.

Thanks - Gary Chapman, NYU / Identity Services

1. Name of institution

University of Minnesota

2. Are you using 2-factor authentication at your institution?

Yes.  We are actually in the process of transitioning from one system to another.

4. If you are using 2-factor...

    a) how broadly?  for specific applications, for specific audiences?

When our current system was put in place around 2007 or so, two factor was required for "enterprise systems".  What this meant in practice was administrative access to student/HR/financial systems (Peoplesoft), document management, and reporting, as well as command-line access to servers by sysadmins, and for selected VPN instances (usually used for server management).

One of the policy changes that is in the final stages of approval to to shift this requirement so that it is data classification rather than system type that determines the necessity for two-factor access.  Data classified as "private, highly restricted" will require two-factor, "private, normally restricted" recommends its use, while "public" data will not require it.  This is expected to allow some systems that had required two-factor to eliminate its use, or to restrict the scope of its requirement to the portions of the system that deal with private data.  And some systems that had not needed it previously may need to start using it now.  The idea is to better align the policy requirements with institutional risk.

    b) what vendor are you using?
    c) what technology are you using for your 2nd factor (card / phone / etc)?

We have been using Safeword PremierAccess with Safeword Silver hardware tokens (branded as the "M Key").  There is an informational page at www.umn.edu/mkey with more details.  The "first" factor in this system was the token PIN.

We are in the process of moving to Duo Security.  We will using our LDAP directory password as the first factor, and Duo's variety of choices of second factor (smartphone app, SMS of passcodes, phone callback, and possibly HOTP/TOTP hardware and/or software tokens).  The information page is in the process of being built.  We are already "live" for a small set of pilot users (linux sysadmins), and expect to enable several applications in the January/February timeframe.

5.  Advice?  Warnings?  Comments in general?

After our initial RFP contract was up, prices for tokens skyrocketed, partly due to the tech getting older, partly due to the vendor's software not having a viable upgrade path for us (currently running on Solaris, which we are trying to abate in favor of Linux; vendor does not have a linux version and the Windows version, which supports newer tokens, is not compatible with one of the key agents we need to have working), partly due to multiple sales/spinoffs of the company and product line (I think it went Safeword->Aladdin->Mcafee->Safenet).

If two-factor is new for you, you'll need to have a plan for rolling it out.  For our initial rollout, we converted a set of applications each week over a few months.  Each time, we sent out tokens a bit in advance to the set of users of the applications being converted who had not received a token yet.  By carefully arranging the order of conversion, we were able to keep the number of new users per week down to a reasonable level.

Operating the service has been a partnership between our identity management (who runs the low-level service and authentication services like RADIUS/LDAP for it), data security (who manage the access requests for applications, send out new/replacement tokens, and perform 2nd-level support), and helpdesk (who provide front-line support) groups.  Involve everyone as early as possible so you can start to understand what the necessary business processes and workflows will look like.

Ask your internal IT auditor to review your plans, so you don't have to worry about surprises later if they don't feel you have sufficient controls in your processes.

Make sure you have a way to accommodate all of the users who will need to use two-factor.  With our old system, we offered a soft token option for users with visual or motor impairments that made it difficult to use a hardware token.  (We did not offer this option to users who found the token code difficult to read because they neglected to remove the protective "REMOVE" sticker that comes on the token ;)   Our new system allows for a variety of auth methods that should cover most everyone.

Never go against a Sicilian when death is on the line.
-- %% Christopher A. Bongaarts %% cab@umn.edu %% %% OIT - Identity Management %% http://umn.edu/~cab %% %% University of Minnesota %% +1 (612) 625-1809 %%
Gary, you can look at materials on the MFA Cohortium website:


As to presentations from a couple of campuses on their deployments of MFA, there is a slide set there from Penn:


and there are Adobe Connect recordings of a presentation by Rob Carter on MFA at Duke (integrated with Shib IdP), and the presentation from Penn (Chris Hyzer, integrated into Cosign SSO) for which those slides were presented. See the list of Cohortium meetings with their associated "Recording" links.

And there is the PDF of the presentation on MFA and the Cohortium given as part of the IAM Online series in September, and which can also be found on the IAM Online website:


Message from pradtke@gmail.com

Patrick, Do you think you could mitigate some of the grief your staff is getting by being more selective about which applications use 2FA? Seems like a more selective approach, where 2FA is more logically applied to the more sensitive access requirements could help with your last comment and the added burden on the help desk. Earl earl.lewis@utah.edu 801-581-3635 (office) 801-554-3596 (mobile) On 12/18/13 10:45 AM, "Patrick Radkte" wrote: >
Message from pradtke@gmail.com

On 12/18/2013 09:49 AM, Gary Chapman wrote:
Hi. NYU is doing a bit of investigation that will likely lead to piloting use of
2-factor authentication for selected services and/or users in the coming year. It
would be helpful for us to get some quick, current snapshots of where other institutions
are with respect to implementing 2-factor. So if you feel inclined, could you answer
these questions (and add any other comments you wish)? If there's anything to
summarize back to the list, I'll certainly do so.

Thanks - Gary Chapman, NYU / Identity Services

1. Name of institution
University of Arkansas

2. Are you using 2-factor authentication at your institution?
Not as a campus strategy. Some groups (notably PCI) have deployed 2-factor.

3. If not, do you have plans to do so in future?
Yes. We plan on implementing 2-factor as we address our lack of identity management. The two will likely proceed together.
We currently plan on investigating a variety of solutions from soft TOTP/HOTP tokens (Google Authenticator) as well as physical tokens. We may deploy a mix of methods. In our current view of the world, we'd like to limit our authentication to three paths: Shibboleth/SAML, RADIUS/Diameter, and Active Directory. If we've gotten that part right, whatever we pick will have to work smoothly with all three.


-- 
Don Faulkner, CISSP | CISO at the University of Arkansas
contact>> donf@uark.edu | +1 (479) 575-2901
connect>> uarkITS on Facebook | @uaits | @dfaulkner

Happy new year all!

 

We are seriously considering implementing 2-factor authentication for a subset of users at our School who have access to the most sensitive institutional data.

Are any of you already doing this? Or plan to soon? How have you implemented it and what types of issues did you face?

 

Thank you.

-----------------------------------

Tunde Giwa

Chief Technology Officer

The Juilliard School

60 Lincoln Center Plaza

New York NY 10023

212.799.5000 x357

Helpdesk Portal        

P Conserve resources!

 

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.

Hi.  NYU is doing a bit of investigation that will likely lead to piloting use of
2-factor authentication for selected services and/or users in the coming year.  It 
would be helpful for us to get some quick, current snapshots of where other institutions 
are with respect to implementing 2-factor.  So if you feel inclined, could you answer 
these questions (and add any other comments you wish)?   If there's anything to 
summarize back to the list, I'll certainly do so.

Thanks - Gary Chapman, NYU / Identity Services

1. Name of institution

2. Are you using 2-factor authentication at your institution?

3. If not, do you have plans to do so in future?

4. If you are using 2-factor...

    a) how broadly?  for specific applications, for specific audiences?

    b) what vendor are you using?

    c) what technology are you using for your 2nd factor (card / phone / etc)?

5.  Advice?  Warnings?  Comments in general?


On 12/18/2013 9:49 AM, Gary Chapman wrote:
Hi.  NYU is doing a bit of investigation that will likely lead to piloting use of
2-factor authentication for selected services and/or users in the coming year.  It 
would be helpful for us to get some quick, current snapshots of where other institutions 
are with respect to implementing 2-factor.  So if you feel inclined, could you answer 
these questions (and add any other comments you wish)?   If there's anything to 
summarize back to the list, I'll certainly do so.

Thanks - Gary Chapman, NYU / Identity Services

1. Name of institution

University of Minnesota

2. Are you using 2-factor authentication at your institution?

Yes.  We are actually in the process of transitioning from one system to another.

4. If you are using 2-factor...

    a) how broadly?  for specific applications, for specific audiences?

When our current system was put in place around 2007 or so, two factor was required for "enterprise systems".  What this meant in practice was administrative access to student/HR/financial systems (Peoplesoft), document management, and reporting, as well as command-line access to servers by sysadmins, and for selected VPN instances (usually used for server management).

One of the policy changes that is in the final stages of approval to to shift this requirement so that it is data classification rather than system type that determines the necessity for two-factor access.  Data classified as "private, highly restricted" will require two-factor, "private, normally restricted" recommends its use, while "public" data will not require it.  This is expected to allow some systems that had required two-factor to eliminate its use, or to restrict the scope of its requirement to the portions of the system that deal with private data.  And some systems that had not needed it previously may need to start using it now.  The idea is to better align the policy requirements with institutional risk.

    b) what vendor are you using?
    c) what technology are you using for your 2nd factor (card / phone / etc)?

We have been using Safeword PremierAccess with Safeword Silver hardware tokens (branded as the "M Key").  There is an informational page at www.umn.edu/mkey with more details.  The "first" factor in this system was the token PIN.

We are in the process of moving to Duo Security.  We will using our LDAP directory password as the first factor, and Duo's variety of choices of second factor (smartphone app, SMS of passcodes, phone callback, and possibly HOTP/TOTP hardware and/or software tokens).  The information page is in the process of being built.  We are already "live" for a small set of pilot users (linux sysadmins), and expect to enable several applications in the January/February timeframe.

5.  Advice?  Warnings?  Comments in general?

After our initial RFP contract was up, prices for tokens skyrocketed, partly due to the tech getting older, partly due to the vendor's software not having a viable upgrade path for us (currently running on Solaris, which we are trying to abate in favor of Linux; vendor does not have a linux version and the Windows version, which supports newer tokens, is not compatible with one of the key agents we need to have working), partly due to multiple sales/spinoffs of the company and product line (I think it went Safeword->Aladdin->Mcafee->Safenet).

If two-factor is new for you, you'll need to have a plan for rolling it out.  For our initial rollout, we converted a set of applications each week over a few months.  Each time, we sent out tokens a bit in advance to the set of users of the applications being converted who had not received a token yet.  By carefully arranging the order of conversion, we were able to keep the number of new users per week down to a reasonable level.

Operating the service has been a partnership between our identity management (who runs the low-level service and authentication services like RADIUS/LDAP for it), data security (who manage the access requests for applications, send out new/replacement tokens, and perform 2nd-level support), and helpdesk (who provide front-line support) groups.  Involve everyone as early as possible so you can start to understand what the necessary business processes and workflows will look like.

Ask your internal IT auditor to review your plans, so you don't have to worry about surprises later if they don't feel you have sufficient controls in your processes.

Make sure you have a way to accommodate all of the users who will need to use two-factor.  With our old system, we offered a soft token option for users with visual or motor impairments that made it difficult to use a hardware token.  (We did not offer this option to users who found the token code difficult to read because they neglected to remove the protective "REMOVE" sticker that comes on the token ;)   Our new system allows for a variety of auth methods that should cover most everyone.

Never go against a Sicilian when death is on the line.
-- %% Christopher A. Bongaarts %% cab@umn.edu %% %% OIT - Identity Management %% http://umn.edu/~cab %% %% University of Minnesota %% +1 (612) 625-1809 %%
Gary, you can look at materials on the MFA Cohortium website:


As to presentations from a couple of campuses on their deployments of MFA, there is a slide set there from Penn:


and there are Adobe Connect recordings of a presentation by Rob Carter on MFA at Duke (integrated with Shib IdP), and the presentation from Penn (Chris Hyzer, integrated into Cosign SSO) for which those slides were presented. See the list of Cohortium meetings with their associated "Recording" links.

And there is the PDF of the presentation on MFA and the Cohortium given as part of the IAM Online series in September, and which can also be found on the IAM Online website:


Message from pradtke@gmail.com

Patrick, Do you think you could mitigate some of the grief your staff is getting by being more selective about which applications use 2FA? Seems like a more selective approach, where 2FA is more logically applied to the more sensitive access requirements could help with your last comment and the added burden on the help desk. Earl earl.lewis@utah.edu 801-581-3635 (office) 801-554-3596 (mobile) On 12/18/13 10:45 AM, "Patrick Radkte" wrote: >
Message from pradtke@gmail.com

On 12/18/2013 09:49 AM, Gary Chapman wrote:
Hi. NYU is doing a bit of investigation that will likely lead to piloting use of
2-factor authentication for selected services and/or users in the coming year. It
would be helpful for us to get some quick, current snapshots of where other institutions
are with respect to implementing 2-factor. So if you feel inclined, could you answer
these questions (and add any other comments you wish)? If there's anything to
summarize back to the list, I'll certainly do so.

Thanks - Gary Chapman, NYU / Identity Services

1. Name of institution
University of Arkansas

2. Are you using 2-factor authentication at your institution?
Not as a campus strategy. Some groups (notably PCI) have deployed 2-factor.

3. If not, do you have plans to do so in future?
Yes. We plan on implementing 2-factor as we address our lack of identity management. The two will likely proceed together.
We currently plan on investigating a variety of solutions from soft TOTP/HOTP tokens (Google Authenticator) as well as physical tokens. We may deploy a mix of methods. In our current view of the world, we'd like to limit our authentication to three paths: Shibboleth/SAML, RADIUS/Diameter, and Active Directory. If we've gotten that part right, whatever we pick will have to work smoothly with all three.


-- 
Don Faulkner, CISSP | CISO at the University of Arkansas
contact>> donf@uark.edu | +1 (479) 575-2901
connect>> uarkITS on Facebook | @uaits | @dfaulkner

Happy new year all!

 

We are seriously considering implementing 2-factor authentication for a subset of users at our School who have access to the most sensitive institutional data.

Are any of you already doing this? Or plan to soon? How have you implemented it and what types of issues did you face?

 

Thank you.

-----------------------------------

Tunde Giwa

Chief Technology Officer

The Juilliard School

60 Lincoln Center Plaza

New York NY 10023

212.799.5000 x357

Helpdesk Portal        

P Conserve resources!

 

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.

Dear Tunde,

 

We have implemented 2-factor authentication at the University of Georgia. 

 

Users have a physical device that generates a code for them to enter.

 

At UGA, we branded the device as the “ArchPass”.

 

The first phase was completed in June 2013.  However, we began communicating to campus in late 2012 regarding the project and launched a campus-wide communication plan in early 2013.

 

As a pilot, we provided an ArchPass to all our internal IT staff in late 2012 so they would become familiar with the system prior to deploying to campus.

 

Our first phase included about 1300 users.  The implementation went very well. 

 

We ensured users had their ArchPass at least two weeks prior to when they would need to be use their ArchPass, developed a brochure on how to use the device, and sent personal communications to individuals who would be receiving an ArchPass.

 

Due to timing of our implementation (summer), there were some users who were not on campus to pickup their device.  Also, some users had questions about why they had access to particular systems.  This was a great opportunity to talk with them and in some cases remove access to these systems.

 

I would be glad to talk with you further if you have any other questions.

 

Thank you,

Lynn

 

Lynn Wilson

Enterprise Information Technology Services

University of Georgia

llatimer@uga.edu

706-542-0723

 

 

 

Hi Tunde,
    Rice has been utilizing 2 factor authN specifically for admin and remote access to windows systems for about 5 years.  We are slowly addressing Mac and *nix based systems as well.  I would encourage you to follow through regardless of the technology used for 2 factor as I personally feel that the password paradigm is long past its useful life.  We are using USB X.509 based credentials, but OTP or cell based along with X.509 if implemented correctly could accomplish your goal.

Here are some items of note

1)  Policy regarding NOT allowing staff to leave a 2 factor device such as a token permanently installed in a system - it defeats the purpose and can be used for relaying credentials if that system is compromised and proper configuration is not regulated.
2)  Ensure that  if your environment needs cross platform access that whatever mechanism you choose can support it.  An example is the Microsoft RDP client for Mac does not support 2 factor, so if your default desktop is a Mac, you can't remote RDP into a windows system using the Microsoft RDP client for Mac.  Linux rdesktop client does support 2 factor RDP however.
3) Make sure that whatever you choose is well tested throughout your environment and that you adhere to your principle of needing to protect the most valuable resources.  You should not compromise here, if it does not work, don't settle for something less - why bother.
4) 2 factor is not a panacea, it will not close all avenues of access but it will certainly close 1 and mitigate a number of others.
5) Perform a risk analysis and risk assessment if you are having a hard time selling this to management.  Breach costs are fairly well defined now and there are registries of breaches and data spills online you can tap.
6) You may also want to consider cloud  migrations as another need for a higher LOA for remote access.  In this case you no longer control the back end and have to rely more on remote access and other forms of security to maintain access control comfort levels.
7) Don't confine your discussions to just 2 factor, look at provisioning, deprovisioning, and access controls as well.  This will form a full picture of the security you are trying to accomplish.

I hope this helps
Regards,
Barry
 


 

On 1/16/2014 12:51 PM, Tunde Giwa wrote:

Happy new year all!

 

We are seriously considering implementing 2-factor authentication for a subset of users at our School who have access to the most sensitive institutional data.

Are any of you already doing this? Or plan to soon? How have you implemented it and what types of issues did you face?

 

Thank you.

-----------------------------------

Tunde Giwa

Chief Technology Officer

The Juilliard School

60 Lincoln Center Plaza

New York NY 10023

212.799.5000 x357

Helpdesk Portal        

P Conserve resources!

 

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.

Message from brivers@uga.edu

UGA implemented 2-factor authentication for around 1700 employees last year.  We used a virtual private network as opposed to integrating the authentication into the systems directly.  We converted several legacy systems to 2-factor so the VPN strategy made that more feasible.    What was most important to us to get right was the user experience through the migration.   Our deployment of the tokens was high-touch and we invested a good bit of time ensuring our users knew the how, when and why.  Having been through several of these in my career, the people side of these technology projects can be underestimated and result in a poor deployment.

 

Feel free to contact me directly if you want any specifics.

 

 

Brian Rivers

Associate CIO, Information Security

University of Georgia

 

Let me add to Lynn’s comments. We wanted to avoid complexity and cost of integrating multi-factor at the application level while achieving the same benefit; so we applied multi-factor at the network level only. In essence, we put another firewall around systems with sensitive information and you must multi-factor into that secured network via VPN in order to access them. Once you have used your ArchPass to VPN into that secure network you then access the app just as you would normally. This is required whether you are on or off our campus network, whether you are on a wired or wireless network at UGA. Right now - we have issued about 1700 or so employees, including some groups of faculty, who are assigned an ArchPass. We would be happy to discuss further if it is helpful.

Here is a good resource for taking a look at mult-factor

The MFA Cohortium is looking at how you deploy multi-factor at scale and what some of the key administrative issues are for managing this. Internet2/InCommon has some funding from NIST to support this and we are broadly sharing the use cases and results.

We are still in the early stages but I think over this year, this will be a great resource for institutions thinking about multi-factor.

As a point, UMBC is going forward with Duo, the phone-based multi-factor.
Good luck,

jack

Jack Suess             UMBC VP of IT & CIO
jack@umbc.edu     1000 Hilltop Circle
410.455.2582          Baltimore Md, 21250
Homepage:             http://bit.ly/fSB5ID



Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.