Re: MFA Student Deployment Questions

["Giacobe, Nick" <nxg13 () PSU EDU>]

We rolled out in phases.  Eventually, we set a required deadline for faculty/staff and all employees (including student 
employees) to use our 2FA solution.  We have not (yet, I suspect it's coming soon) required student participation. 
Currently, it's optional for students.  See https://www.identity.psu.edu/services/authentication-services/two-factor/ 
for what we tell our folks about the system.

Our 2FA solution (DUO) can use a smartphone app, telephone calling to user-defined phone numbers and a 2FA dongle.  The 
app operates in two modes. One mode is push, where the app is notified that a logon request has occurred, and the user 
must approve by clicking a button on the app. The second mode is synchronized pseudo-random number like a dongle does.  
I think the phone call version addresses many of the disability/accessibility issues.  For the dongle, we allow the 
user to purchase it, if they want to... $22 per dongle.  Also, there is an option for the user to have the system send 
them a text message with ten (10) one-time-use login 2FA codes.  That may work also for some accessibility situations.

Similar to what others report, faculty and staff took longer to adapt than students, but that may be similar to 
different generational issues with technology adoption.

Anecdotally, I'd have to say that the vast majority of our users use the smartphone app.

---
Nicklaus A. Giacobe, Ph.D.
Director of Undergraduate Programs and Assistant Teaching Professor
Phone: 814-865-8233
College of Information Sciences and Technology
Penn State University
E333 Westgate Building
University Park, PA 16802

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Edenfield, Alton
Sent: Wednesday, January 16, 2019 10:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] MFA Student Deployment Questions

Hi Stefan,


  1.  What methodology did you use to deploy MFA to students, incremental based on a variable or everyone at once? We 
did all of our students all at once. We did ours like you're doing yours in the way of doing Staff and Faculty first 
and then students months later. The students handled it much better then staff. I think because it was a younger crowd. 
We made sure our student tech support was with us for the rollout of Staff and Faculty so that they were trained very 
well. They were pretty busy at first but it was manageable. We also timed the deployment with our New Student 
Orientation (NSO), that that helped a ton as well, since students are coming to get IT support on the first day of 
class anyways.
  2.  Does your university provide students with hard tokens? If so, do the students have to pay for the token? How 
much? The University did provide hardware tokens but if I had to guess we only gave out maybe 10-20.
  3.  How to you manage accessibility issues for students with disabilities? HMM, great question. I don't think this 
came up
  4.  How do you handle situations where students can not take a device into a proctored testing lab?  Did faculty have 
concerns about raising test anxiety for students? How were they addressed. I don't think we do Proctored testing and if 
we do it is on campus and MFA is not needed. Not sure on this sorry.
  5.  Are you handling student registration differently than faculty and staff?  Please provide the link to any public 
documentation describing student enrollment. We put flyers out everywhere, digital signage, printed flyers in classes, 
dining facility, everywhere we could, along with emails and letters to mailboxes. They were practically the same 
enrollment between student, staff and faculty besides students showing up on NSO and maybe being more tech savvy.


Thanks,


Alton

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Stefan Wahe <0000009ffd3543ad-dmarc-request () LISTSERV EDUCAUSE 
EDU<mailto:0000009ffd3543ad-dmarc-request () LISTSERV EDUCAUSE EDU>>
Sent: Wednesday, January 16, 2019 6:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] MFA Student Deployment Questions




We are trying to finalize our MFA student deployment plans.  We have received some interesting questions.  We are 
interested in how your campus managed student deployment (we are partway through our faculty/staff deployment).  I 
would appreciate a response to the following questions.



  1.  What methodology did you use to deploy MFA to students, incremental based on a variable or everyone at once? We 
did all of our students all at once. We did ours like you're doing yours in the way of doing Staff and Faculty first 
and then students months later. The students handled it much better then staff. I think because it was a younger crowd. 
We made sure our student tech support was with us for the rollout of Staff and Faculty so that they were trained very 
well. They were pretty busy at first but it was manageable. We also timed the deployment with our New Student 
Orientation (NSO), that that helped a ton as well, since students are coming to get IT support on the first day of 
class anyways.
  2.  Does your university provide students with hard tokens? If so, do the students have to pay for the token? How 
much? The University did provide hardware tokens but if I had to guess we only gave out maybe 10-20.
  3.  How to you manage accessibility issues for students with disabilities? HMM, great question. I don't think this 
came up
  4.  How do you handle situations where students can not take a device into a proctored testing lab?  Did faculty have 
concerns about raising test anxiety for students? How were they addressed. I don't think we do Proctored testing and if 
we do it is on campus and MFA is not needed. Not sure on this sorry.
  5.  Are you handling student registration differently than faculty and staff?  Please provide the link to any public 
documentation describing student enrollment. We put flyers out everywhere, digital signage, printed flyers in classes, 
dining facility, everywhere we could, along with emails and letters to mailboxes. They were practically the same 
enrollment between student, staff and faculty besides students showing up on NSO and maybe being more tech savvy.



I appreciate your responses.



Sincerely - Stefan Wahe





*****************************

Stefan Wahe, CISSP

University of Wisconsin-Madison

Office of Cybersecurity

Deputy Chief Information Security Officer

HIPAA Security Officer

608-265-1177

[signature_767482743]