Re: MFA requirement for faculty

[Gael Frouin <gfrouin () BERKLEE EDU>]

Hello,

We are in the process of deploying it for all our constituents in a phased
approach (departments by departments: first administrative ones and soon
academic ones. Then we will address students) to all SSO-enabled
applications (which is "most" applications and VPN connections. Within the
next year we will have our email behind SSO as well so it will eventually
be covered.

1. Exemptions: Not required from on-campus. This has made the pill easier
to swallow and simplified the roll-out so far.
2. Remember devices: yes for 30 days
3. Blowback from parents: We have not rolled it out to our students yet.
4. N/A at the moment

Gaël Frouin
*Information Security Officer*
*Berklee*

On Wed, Sep 12, 2018 at 5:59 PM Harvard Townsend <
harvard.townsend () wheaton edu> wrote:

> 1.       Currently no exemptions, but plan to exempt lab and classroom
> computers; still debating exempting employee computers
>
> 2.       Yes, with a 30 day “remember” period
>
> 3.       Haven’t rolled it out for students yet.
>
> --
>
> *Harvard Townsend*
>
> Director of Infrastructure & Security
>
> Academic & Institutional Technology <http://www.wheaton.edu/ait>
>
> *Wheaton College, IL*
>
> *Office:*    630.752.5528
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *McClenon, Brady
> *Sent:* Wednesday, September 12, 2018 12:37 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] MFA requirement for faculty
>
>
>
> For those that rolled out MFA:
>
>
>
>    1. Did you require it everywhere, or have exempt locations?  Like on
>    your campus network, perhaps.
>    2. Did you allow devices to be “remembered?”
>    3. Was there any blowback from “helicopter parents” that were used to
>    accessing their “child’s” account?
>    4. If yes to #3, how did you deal with it?
>
>
>
>
>
>
>
> Brady McClenon
>
> IT Security Administrator
>
> ITS – IT Security
>
> SUNY Oneonta
>
>
>
> *Information Security is Everyone’s Responsibility! * Learn more at
> http://staysafeonline.org/ncsam/
>
>
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Manjak, Martin
> *Sent:* Wednesday, September 12, 2018 1:28 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] MFA requirement for faculty
>
>
>
> As far as Azure AD MFA, and the lack of token support, our experience was
> similar to Chris’s. Out of nearly 16k student enrollments, we had less than
> a dozen who requested exemption based on not have a device to receive the
> second factor. We limited our rollout to students only.
>
>
>
> Anyone whose account was compromised as a result of social engineering,
> regardless of their affiliation, is enrolled.
>
>
>
> FAC/STAFF can request enrollment, but we haven’t mandated it yet.
>
>
>
> BTW, here’s an article on 2-Step Login (our branding of MFA) that appeared
> in the last issue of our student press. [1]
>
>
>
> Marty Manjak
>
> CISO
>
> University at Albany
>
>
>
> [1]
> http://www.albanystudentpress.net/opinion-two-step-verification-long-overdue
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.albanystudentpress.net%2Fopinion-two-step-verification-long-overdue&data=02%7C01%7Cbrady.mcclenon%40ONEONTA.EDU%7Cb5b6b6f805b145868f0b08d618d526e4%7Cb2c9b1a8d1ad4c9f9172728a8c08eb65%7C1%7C0%7C636723701094745657&sdata=3Up%2Be1%2BCDD8uF03rCmixPSSVdyERrNlAIr8hE5qNeNE%3D&reserved=0>
> /
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Gregg, Christopher S.
> *Sent:* Wednesday, September 12, 2018 10:47 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] MFA requirement for faculty
>
>
>
> We require MFA for all users (faculty, staff, and students) for Office365,
> Banner and a couple of other applications.  Adding MFA to other higher risk
> systems is in the works for this year.
>
>
>
> We had executive support to include all users, and the rollout went
> smoother than I anticipated.  We’re using Microsoft Azure AD MFA which
> doesn’t support hardware tokens (yet) so we did need to exempt a small
> population of about 40 users who didn’t have a cell phone, and couldn’t use
> a desk phone as their 2nd factor.  I expected we might get a run on
> people saying they didn’t have a cell phone if they thought it would get
> them out of MFA, but that didn’t really happen.  Most of those 40 people
> were faculty though so you may want to factor that in to your planning.
>
>
>
> Thanks,
>
>
>
> Chris
>
>
>
>
>
> *Chris Gregg*
> Associate Vice President of Information Security & Risk Management, CISO
> Information Technology Services (ITS)
> csgregg () stthomas edu
> p 1 (651) 962-6265
> *University of St. Thomas* | stthomas.edu
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.stthomas.edu&data=02%7C01%7Cbrady.mcclenon%40ONEONTA.EDU%7Cb5b6b6f805b145868f0b08d618d526e4%7Cb2c9b1a8d1ad4c9f9172728a8c08eb65%7C1%7C0%7C636723701094745657&sdata=5hITmiRE5FEvf1fO2IlxaGIDdYVitQLYeEPUT9lO664%3D&reserved=0>
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Pitt, Sharon
> *Sent:* Wednesday, September 12, 2018 9:20 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Fw: MFA requirement for faculty
>
>
>
> Sending to the security list for response.  Harvard, you may want to
> consider joining this constituent group list.  In the meantime, I ask that
> we copy Harvard on responses.
>
>
>
> As a quick response to Harvard, the University of Delaware requires MFA
> for all users (including faculty) on multiple tools, to include anything
> associated with our ERP and email.
>
>
>
> Thanks all!
>
>
>
> Sharon P. Pitt
>
> Vice President of Information Technologies
> University of Delaware
>
> 030 Smith Hall
>
> Newark, DE 19716
>
> (302) 831-0221
>
>
>
> Co-Chair, Higher Education Information Security Council (HEISC)
>
>
>
>
>
> spitt () udel edu
>
> twitter@sppitt
>
>
>
>
> ------------------------------
>
> *From:* The EDUCAUSE CIO Constituent Group Listserv <
> CIO () LISTSERV EDUCAUSE EDU> on behalf of Harvard Townsend <
> harvard.townsend () WHEATON EDU>
> *Sent:* Wednesday, September 12, 2018 10:01 AM
> *To:* CIO () LISTSERV EDUCAUSE EDU
> *Subject:* [CIO] MFA requirement for faculty
>
>
>
> Good morning,
> We need some help selling multi-factor authentication to our faculty.
> Quick question - how many of you require MFA for faculty? We currently
> require it for staff and are now moving forward with faculty. Replies to
> the mailing list or directly to me are greatly appreciated.
> Regards,
> --
> Harvard Townsend
> Director of Infrastructure & Security
> Academic & Institutional Technology
> Wheaton College, IL
> Office: (630)752-5528
>
> **********
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss&data=02%7C01%7Cbrady.mcclenon%40ONEONTA.EDU%7Cb5b6b6f805b145868f0b08d618d526e4%7Cb2c9b1a8d1ad4c9f9172728a8c08eb65%7C1%7C0%7C636723701094745657&sdata=UCqqV5Aks7jIJHLo27uSBBk1ESNnfriqlJw9b0UAUQI%3D&reserved=0>
> .