Educause Security Discussion mailing list archives
Re: MFA requirement for faculty
From: "Gregg, Christopher S." <csgregg () STTHOMAS EDU>
Date: Wed, 12 Sep 2018 19:20:27 +0000
1. Did you require it everywhere, or have exempt locations? Like on your campus network, perhaps. We exempt on campus networks for Office365. This was instrumental in my opinion in allowing us to roll out MFA to all users (27,000) within 6 months. This was especially so since our intranet solution is Office365 based, and the default home page on campus computers. Requiring MFA for the intranet from on campus would have been a large political and PR problem. MFA for other high risk services like Banner is required everywhere. People didn't like this, but I think they get that for a system like the ERP it makes sense. 1. Did you allow devices to be "remembered?" For Office365 we allow a 30-day remember me. For Banner, partially by design and partially the way Azure AD MFA works, we don't provide a remember me function. We're hoping to change this and give us more options as we move to Conditional Access in the coming year. We'll have to come up with something better when we add MFA to ERP self-service later this year. 1. Was there any blowback from "helicopter parents" that were used to accessing their "child's" account? No. I also wondered if we would hear from senior leaders who might be sharing passwords with their admin assistants, but that hasn't been an issue. 1. If yes to #3, how did you deal with it? N/A Chris Chris Gregg Associate Vice President of Information Security & Risk Management, CISO Information Technology Services (ITS) csgregg () stthomas edu<mailto:csgregg () stthomas edu> p 1 (651) 962-6265 University of St. Thomas | stthomas.edu<https://www.stthomas.edu> From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of McClenon, Brady Sent: Wednesday, September 12, 2018 12:37 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] MFA requirement for faculty For those that rolled out MFA: 1. Did you require it everywhere, or have exempt locations? Like on your campus network, perhaps. 2. Did you allow devices to be "remembered?" 3. Was there any blowback from "helicopter parents" that were used to accessing their "child's" account? 4. If yes to #3, how did you deal with it? Brady McClenon IT Security Administrator ITS - IT Security SUNY Oneonta Information Security is Everyone's Responsibility! Learn more at http://staysafeonline.org/ncsam/<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fstaysafeonline.org%2Fncsam%2F&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C254c7f89336743910db608d618d664e5%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636723706450322891&sdata=Dtg4tV2XuKR9%2Fbq%2BL%2B6EHKnhxgIYZqtOHLLbT1l1GvI%3D&reserved=0> From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Manjak, Martin Sent: Wednesday, September 12, 2018 1:28 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] MFA requirement for faculty As far as Azure AD MFA, and the lack of token support, our experience was similar to Chris's. Out of nearly 16k student enrollments, we had less than a dozen who requested exemption based on not have a device to receive the second factor. We limited our rollout to students only. Anyone whose account was compromised as a result of social engineering, regardless of their affiliation, is enrolled. FAC/STAFF can request enrollment, but we haven't mandated it yet. BTW, here's an article on 2-Step Login (our branding of MFA) that appeared in the last issue of our student press. [1] Marty Manjak CISO University at Albany [1] http://www.albanystudentpress.net/opinion-two-step-verification-long-overdue<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.albanystudentpress.net%2Fopinion-two-step-verification-long-overdue&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C254c7f89336743910db608d618d664e5%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636723706450332905&sdata=5644VpJEv5bO%2BmTG%2BQup5gFx4AhhwTOrGg%2FU%2FCoN25o%3D&reserved=0>/ From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Gregg, Christopher S. Sent: Wednesday, September 12, 2018 10:47 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] MFA requirement for faculty We require MFA for all users (faculty, staff, and students) for Office365, Banner and a couple of other applications. Adding MFA to other higher risk systems is in the works for this year. We had executive support to include all users, and the rollout went smoother than I anticipated. We're using Microsoft Azure AD MFA which doesn't support hardware tokens (yet) so we did need to exempt a small population of about 40 users who didn't have a cell phone, and couldn't use a desk phone as their 2nd factor. I expected we might get a run on people saying they didn't have a cell phone if they thought it would get them out of MFA, but that didn't really happen. Most of those 40 people were faculty though so you may want to factor that in to your planning. Thanks, Chris Chris Gregg Associate Vice President of Information Security & Risk Management, CISO Information Technology Services (ITS) csgregg () stthomas edu<mailto:csgregg () stthomas edu> p 1 (651) 962-6265 University of St. Thomas | stthomas.edu<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.stthomas.edu&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C254c7f89336743910db608d618d664e5%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636723706450332905&sdata=BQox2ORvz%2FnhOptHrZXPM7Oyirzd%2FlLpGLcySAVfK00%3D&reserved=0> From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Pitt, Sharon Sent: Wednesday, September 12, 2018 9:20 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Fw: MFA requirement for faculty Sending to the security list for response. Harvard, you may want to consider joining this constituent group list. In the meantime, I ask that we copy Harvard on responses. As a quick response to Harvard, the University of Delaware requires MFA for all users (including faculty) on multiple tools, to include anything associated with our ERP and email. Thanks all! Sharon P. Pitt Vice President of Information Technologies University of Delaware 030 Smith Hall Newark, DE 19716 (302) 831-0221 Co-Chair, Higher Education Information Security Council (HEISC) spitt () udel edu<mailto:spitt () udel edu> twitter@sppitt ________________________________ From: The EDUCAUSE CIO Constituent Group Listserv <CIO () LISTSERV EDUCAUSE EDU<mailto:CIO () LISTSERV EDUCAUSE EDU>> on behalf of Harvard Townsend <harvard.townsend () WHEATON EDU<mailto:harvard.townsend () WHEATON EDU>> Sent: Wednesday, September 12, 2018 10:01 AM To: CIO () LISTSERV EDUCAUSE EDU<mailto:CIO () LISTSERV EDUCAUSE EDU> Subject: [CIO] MFA requirement for faculty Good morning, We need some help selling multi-factor authentication to our faculty. Quick question - how many of you require MFA for faculty? We currently require it for staff and are now moving forward with faculty. Replies to the mailing list or directly to me are greatly appreciated. Regards, -- Harvard Townsend Director of Infrastructure & Security Academic & Institutional Technology Wheaton College, IL Office: (630)752-5528 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C254c7f89336743910db608d618d664e5%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636723706450342905&sdata=7iSciwOwlYXsdUepqkckuhzJNQjv8SFRTEsgyYkaM0k%3D&reserved=0>.
Current thread:
- Re: MFA requirement for faculty, (continued)
- Re: MFA requirement for faculty Gregg, Christopher S. (Sep 12)
- Re: MFA requirement for faculty Lovaas,Steven (Sep 12)
- Re: MFA requirement for faculty Manjak, Martin (Sep 12)
- Re: MFA requirement for faculty McClenon, Brady (Sep 12)
- Re: MFA requirement for faculty Hagan, Sean (Sep 12)
- Re: MFA requirement for faculty Jackson, William (Sep 12)
- Re: MFA requirement for faculty Cam Beasley (Sep 12)
- Re: MFA requirement for faculty Tina Thorstenson (Sep 12)
- Re: MFA requirement for faculty Gregg, Christopher S. (Sep 12)
- Re: MFA requirement for faculty Telfer, Will (Sep 12)
- Re: MFA requirement for faculty Steve Niedzwiecki (Sep 12)
- Re: MFA requirement for faculty Gregg, Christopher S. (Sep 12)
- Re: MFA requirement for faculty Harvard Townsend (Sep 12)
- Re: MFA requirement for faculty Gael Frouin (Sep 12)
- Re: MFA requirement for faculty Valerie Vogel (Sep 19)
- Re: MFA requirement for faculty Mr. Ikram Muhammad (Sep 14)
- Re: Fw: MFA requirement for faculty Jeremy Rosenberg (Sep 12)