Re: MFA Student Deployment Questions

["Gregg, Christopher S." <csgregg () STTHOMAS EDU>]

  1.  What methodology did you use to deploy MFA to students, incremental based on a variable or everyone at once?

We rolled Office365 MFA campus wide in batches over a period of about 8 months.  We enabled MFA for all freshmen on one 
day, sophomores two weeks later, a group of grad programs another week, etc.  We batched enabled MFA for incoming 
freshmen a few days after their on campus orientation session last summer.  Starting this fall, all new accounts come 
MFA enabled so new incoming students will setup MFA as they claim their accounts.


  1.  Does your university provide students with hard tokens? If so, do the students have to pay for the token? How 
much?

Not yet.  Microsoft is just starting to support them.  We haven’t completely decided yet how we will handle them.


  1.  How to you manage accessibility issues for students with disabilities?

None were reported to us.  Likely we would have taken each on a case by case basis, possibly exempting the account from 
MFA and placing additional controls in place.


  1.  How do you handle situations where students can not take a device into a proctored testing lab?  Did faculty have 
concerns about raising test anxiety for students? How were they addressed.

This has not come up for us, and probably isn’t an issue since we only require MFA for Office365 from off-campus.


  1.  Are you handling student registration differently than faculty and staff?  Please provide the link to any public 
documentation describing student enrollment.

Not really.  We rolled out MFA to faculty and staff in batches as well over the same period of time.  We will likely 
require employees or their departments to purchase tokens when they are available if the person is unable or unwilling 
to use their cell phone.  Link to our MFA page:  https://stthomas.edu/security/resources/multi-factorauthentication/

Thanks and good luck!

Chris


Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Information Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | stthomas.edu<https://www.stthomas.edu>




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Stefan Wahe
Sent: Wednesday, January 16, 2019 8:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] MFA Student Deployment Questions


We are trying to finalize our MFA student deployment plans.  We have received some interesting questions.  We are 
interested in how your campus managed student deployment (we are partway through our faculty/staff deployment).  I 
would appreciate a response to the following questions.


  1.  What methodology did you use to deploy MFA to students, incremental based on a variable or everyone at once?
  2.  Does your university provide students with hard tokens? If so, do the students have to pay for the token? How 
much?
  3.  How to you manage accessibility issues for students with disabilities?
  4.  How do you handle situations where students can not take a device into a proctored testing lab?  Did faculty have 
concerns about raising test anxiety for students? How were they addressed.
  5.  Are you handling student registration differently than faculty and staff?  Please provide the link to any public 
documentation describing student enrollment.

I appreciate your responses.

Sincerely – Stefan Wahe


*****************************
Stefan Wahe, CISSP
University of Wisconsin-Madison
Office of Cybersecurity
Deputy Chief Information Security Officer
HIPAA Security Officer
608-265-1177
[signature_767482743]