Educause Security Discussion mailing list archives

Re: MFA requirement for faculty

From: Valerie Vogel <vvogel () EDUCAUSE EDU>
Date: Wed, 19 Sep 2018 16:34:16 +0000

I’m happy to share that registration is now available for the October 11 EDUCAUSE Live! webinar focusing on 2FA/MFA.

Campus-Wide Two-Factor Authentication (2FA) Saturation Campaign
Thursday, October 11, 1:00-2:00 pm ET
This presentation by Robert Jorgensen will discuss how Utah Valley University partnered with the National Cyber 
Security Alliance to promote the adoption of 2FA for the student population of 34,000 students using a multifaceted 
saturation campaign that combined the efforts of the administration, IT department, and student groups.
https://events.educause.edu/educause-live/webinars/2018/campus-wide-two-factor-authentication-2fa-saturation-campaign

Please note that this event is part of EDUCAUSE’s annual effort to promote National Cybersecurity Awareness Month, and 
there is no registration fee.

Thank you,
Valerie

Valerie Vogel
Senior Manager, Cybersecurity Program

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5374 | Follow HEISC on 
LinkedIn<https://www.linkedin.com/showcase/higher-education-information-security-council-heisc-/> | twitter: 
@HEISCouncil | vvogel () educause edu<mailto:vvogel () educause edu>

From: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Gael Frouin <gfrouin () BERKLEE 
EDU>
Reply-To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Wednesday, September 12, 2018 at 3:32 PM
To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] MFA requirement for faculty

Hello,

We are in the process of deploying it for all our constituents in a phased approach (departments by departments: first 
administrative ones and soon academic ones. Then we will address students) to all SSO-enabled applications (which is 
"most" applications and VPN connections. Within the next year we will have our email behind SSO as well so it will 
eventually be covered.

1. Exemptions: Not required from on-campus. This has made the pill easier to swallow and simplified the roll-out so far.
2. Remember devices: yes for 30 days
3. Blowback from parents: We have not rolled it out to our students yet.
4. N/A at the moment

Gaël Frouin
Information Security Officer
Berklee

On Wed, Sep 12, 2018 at 5:59 PM Harvard Townsend <harvard.townsend () wheaton edu<mailto:harvard.townsend () wheaton 
edu>> wrote:

1.       Currently no exemptions, but plan to exempt lab and classroom computers; still debating exempting employee 
computers

2.       Yes, with a 30 day “remember” period

3.       Haven’t rolled it out for students yet.
--
Harvard Townsend
Director of Infrastructure & Security
Academic & Institutional Technology<http://www.wheaton.edu/ait>
Wheaton College, IL
Office:    630.752.5528

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of McClenon, Brady
Sent: Wednesday, September 12, 2018 12:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] MFA requirement for faculty

For those that rolled out MFA:


  1.  Did you require it everywhere, or have exempt locations?  Like on your campus network, perhaps.
  2.  Did you allow devices to be “remembered?”
  3.  Was there any blowback from “helicopter parents” that were used to accessing their “child’s” account?
  4.  If yes to #3, how did you deal with it?



Brady McClenon
IT Security Administrator
ITS – IT Security
SUNY Oneonta

Information Security is Everyone’s Responsibility!  Learn more at http://staysafeonline.org/ncsam/




From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Manjak, Martin
Sent: Wednesday, September 12, 2018 1:28 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] MFA requirement for faculty

As far as Azure AD MFA, and the lack of token support, our experience was similar to Chris’s. Out of nearly 16k student 
enrollments, we had less than a dozen who requested exemption based on not have a device to receive the second factor. 
We limited our rollout to students only.

Anyone whose account was compromised as a result of social engineering, regardless of their affiliation, is enrolled.

FAC/STAFF can request enrollment, but we haven’t mandated it yet.

BTW, here’s an article on 2-Step Login (our branding of MFA) that appeared in the last issue of our student press. [1]

Marty Manjak
CISO
University at Albany

[1] 
http://www.albanystudentpress.net/opinion-two-step-verification-long-overdue<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.albanystudentpress.net%2Fopinion-two-step-verification-long-overdue&data=02%7C01%7Cbrady.mcclenon%40ONEONTA.EDU%7Cb5b6b6f805b145868f0b08d618d526e4%7Cb2c9b1a8d1ad4c9f9172728a8c08eb65%7C1%7C0%7C636723701094745657&sdata=3Up%2Be1%2BCDD8uF03rCmixPSSVdyERrNlAIr8hE5qNeNE%3D&reserved=0>/

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Gregg, Christopher S.
Sent: Wednesday, September 12, 2018 10:47 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] MFA requirement for faculty

We require MFA for all users (faculty, staff, and students) for Office365, Banner and a couple of other applications.  
Adding MFA to other higher risk systems is in the works for this year.

We had executive support to include all users, and the rollout went smoother than I anticipated.  We’re using Microsoft 
Azure AD MFA which doesn’t support hardware tokens (yet) so we did need to exempt a small population of about 40 users 
who didn’t have a cell phone, and couldn’t use a desk phone as their 2nd factor.  I expected we might get a run on 
people saying they didn’t have a cell phone if they thought it would get them out of MFA, but that didn’t really 
happen.  Most of those 40 people were faculty though so you may want to factor that in to your planning.

Thanks,

Chris


Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Information Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | 
stthomas.edu<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.stthomas.edu&data=02%7C01%7Cbrady.mcclenon%40ONEONTA.EDU%7Cb5b6b6f805b145868f0b08d618d526e4%7Cb2c9b1a8d1ad4c9f9172728a8c08eb65%7C1%7C0%7C636723701094745657&sdata=5hITmiRE5FEvf1fO2IlxaGIDdYVitQLYeEPUT9lO664%3D&reserved=0>



From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Pitt, Sharon
Sent: Wednesday, September 12, 2018 9:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Fw: MFA requirement for faculty


Sending to the security list for response.  Harvard, you may want to consider joining this constituent group list.  In 
the meantime, I ask that we copy Harvard on responses.



As a quick response to Harvard, the University of Delaware requires MFA for all users (including faculty) on multiple 
tools, to include anything associated with our ERP and email.



Thanks all!


Sharon P. Pitt
Vice President of Information Technologies
University of Delaware
030 Smith Hall
Newark, DE 19716
(302) 831-0221

Co-Chair, Higher Education Information Security Council (HEISC)


spitt () udel edu<mailto:spitt () udel edu>
twitter@sppitt


________________________________
From: The EDUCAUSE CIO Constituent Group Listserv <CIO () LISTSERV EDUCAUSE EDU<mailto:CIO () LISTSERV EDUCAUSE EDU>> 
on behalf of Harvard Townsend <harvard.townsend () WHEATON EDU<mailto:harvard.townsend () WHEATON EDU>>
Sent: Wednesday, September 12, 2018 10:01 AM
To: CIO () LISTSERV EDUCAUSE EDU<mailto:CIO () LISTSERV EDUCAUSE EDU>
Subject: [CIO] MFA requirement for faculty

Good morning,
We need some help selling multi-factor authentication to our faculty. Quick question - how many of you require MFA for 
faculty? We currently require it for staff and are now moving forward with faculty. Replies to the mailing list or 
directly to me are greatly appreciated.
Regards,
--
Harvard Townsend
Director of Infrastructure & Security
Academic & Institutional Technology
Wheaton College, IL
Office: (630)752-5528

**********
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss&data=02%7C01%7Cbrady.mcclenon%40ONEONTA.EDU%7Cb5b6b6f805b145868f0b08d618d526e4%7Cb2c9b1a8d1ad4c9f9172728a8c08eb65%7C1%7C0%7C636723701094745657&sdata=UCqqV5Aks7jIJHLo27uSBBk1ESNnfriqlJw9b0UAUQI%3D&reserved=0>.

Current thread:

Re: MFA requirement for faculty, (continued)
- - - Re: MFA requirement for faculty McClenon, Brady (Sep 12)
    - Re: MFA requirement for faculty Hagan, Sean (Sep 12)
    - Re: MFA requirement for faculty Jackson, William (Sep 12)
    - Re: MFA requirement for faculty Cam Beasley (Sep 12)
    - Re: MFA requirement for faculty Tina Thorstenson (Sep 12)
    - Re: MFA requirement for faculty Telfer, Will (Sep 12)
    - Re: MFA requirement for faculty Steve Niedzwiecki (Sep 12)
    - Re: MFA requirement for faculty Gregg, Christopher S. (Sep 12)
    - Re: MFA requirement for faculty Harvard Townsend (Sep 12)
    - Re: MFA requirement for faculty Gael Frouin (Sep 12)
    - Re: MFA requirement for faculty Valerie Vogel (Sep 19)
    - Re: MFA requirement for faculty Mr. Ikram Muhammad (Sep 14)
- Re: Fw: MFA requirement for faculty Carrie Shumaker (Sep 12)
  - Re: Fw: MFA requirement for faculty Jeremy Rosenberg (Sep 12)