Re: MFA requirement for faculty

["Gregg, Christopher S." <csgregg () STTHOMAS EDU>]

We require MFA for all users (faculty, staff, and students) for Office365, Banner and a couple of other applications.  
Adding MFA to other higher risk systems is in the works for this year.

We had executive support to include all users, and the rollout went smoother than I anticipated.  We're using Microsoft 
Azure AD MFA which doesn't support hardware tokens (yet) so we did need to exempt a small population of about 40 users 
who didn't have a cell phone, and couldn't use a desk phone as their 2nd factor.  I expected we might get a run on 
people saying they didn't have a cell phone if they thought it would get them out of MFA, but that didn't really 
happen.  Most of those 40 people were faculty though so you may want to factor that in to your planning.

Thanks,

Chris


Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Information Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | stthomas.edu<https://www.stthomas.edu>



From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Pitt, Sharon
Sent: Wednesday, September 12, 2018 9:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Fw: MFA requirement for faculty


Sending to the security list for response.  Harvard, you may want to consider joining this constituent group list.  In 
the meantime, I ask that we copy Harvard on responses.



As a quick response to Harvard, the University of Delaware requires MFA for all users (including faculty) on multiple 
tools, to include anything associated with our ERP and email.



Thanks all!


Sharon P. Pitt
Vice President of Information Technologies
University of Delaware
030 Smith Hall
Newark, DE 19716
(302) 831-0221

Co-Chair, Higher Education Information Security Council (HEISC)


spitt () udel edu<mailto:spitt () udel edu>
twitter@sppitt


________________________________
From: The EDUCAUSE CIO Constituent Group Listserv <CIO () LISTSERV EDUCAUSE EDU<mailto:CIO () LISTSERV EDUCAUSE EDU>> 
on behalf of Harvard Townsend <harvard.townsend () WHEATON EDU<mailto:harvard.townsend () WHEATON EDU>>
Sent: Wednesday, September 12, 2018 10:01 AM
To: CIO () LISTSERV EDUCAUSE EDU<mailto:CIO () LISTSERV EDUCAUSE EDU>
Subject: [CIO] MFA requirement for faculty

Good morning,
We need some help selling multi-factor authentication to our faculty. Quick question - how many of you require MFA for 
faculty? We currently require it for staff and are now moving forward with faculty. Replies to the mailing list or 
directly to me are greatly appreciated.
Regards,
--
Harvard Townsend
Director of Infrastructure & Security
Academic & Institutional Technology
Wheaton College, IL
Office: (630)752-5528

**********
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cb98080bfc2e44402e8a108d618bacbbb%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636723587922825998&sdata=GNy0jfc3NHV2O4SMXyhD%2BnX4xdYtjO6sVkldRuMhnPg%3D&reserved=0>.