Re: 2-Factor Authentication / FERPA

[Shawn Merdinger <shawnmer () GMAIL COM>]

Hi Michael,

One can try to make the case that 2FA will provide more security for
the faculty themselves, such as ADP password resets and attacker
access to their W2 tax documents (please see
http://seclists.org/educause/2016/q2/111 ).

If you're hardcore, circulating a pre-breach draft letter that starts
with "I, and a few others at this school, take your security very
seriously....blah, blah, blah" can be a real crowd-pleaser.

The only other tip I can suggest is to look for organizations prepared
to take security seriously....you'll probably have to look outside of
.edu however.

After wrapping-up several years in .edu infosec myself, at this point
I'm thinking about a food truck that only takes cash and bitcoin :)

--scm
Security Researcher and Recovering CISO


On 3/3/17, Dodor, Michael <DodorM () uwstout edu> wrote:
> Greetings,
>
> A number of regional campuses are in discussions on requiring 2-factor for
> access to High Risk data and one of the elements would be non-directory
> (private) FERPA records.
> The consensus concern with such a rollout would be usability on such a large
> scale and backlash from Faculty.
>
> Has anyone implemented and required 2-factor authentication for faculty
> accessing non-directory records? And if so, any tips?
>
> Thank you.
>
> Mike Dodor
> Network Administrator/Information Security
> Learning and Information Technology
> University of Wisconsin - Stout
> 327 Millennium Hall
> Menomonie, WI  54751
> Phone: 715-232-2671
> dodorm () uwstout edu<mailto:dodorm () uwstout edu>