Re: MFA Student Deployment Questions

["Telfer, Will" <Will_Telfer () BAYLOR EDU>]

I was very involved in the first rollout of Duo to faculty, staff, & students outside of a handful of specialized 
services like VPN (which were already enabled when I assumed the MFA support role as part of my job). If you have any 
other questions, please let me know.


  1.  What methodology did you use to deploy MFA to students, incremental based on a variable or everyone at once?
We rolled it out on one service first to all faculty, staff, & students – students use this service to register for 
classes so we timed it to be about a month before they would need to be enrolled. Then about a year later we rolled it 
out to 50+ services that were all behind the same unified login (Shibboleth). Last, within the past 6 months we added 
Office 365 into the services protected by MFA. There are still groups where MFA use is not enforced, but we have 
started to discuss how to roll it out to some of those special areas (auxiliary staff, retirees, etc.).


  1.  Does your university provide students with hard tokens? If so, do the students have to pay for the token? How 
much?
At first we were providing tokens to students that lost, damaged, or had their phones stolen, but it was difficult to 
get them back. Now tokens are available in the campus bookstore for $35. We also have under 10 faculty/staff members 
that have university provided tokens because they do not own a mobile device of any kind.


  1.  How to you manage accessibility issues for students with disabilities?
Duo, our chosen MFA solution, provides multiple ways to authenticate – phone call, SMS, Duo Mobile app, hardware token, 
or U2F key. So far I have not heard of any issues in this area.


  1.  How do you handle situations where students can not take a device into a proctored testing lab?  Did faculty have 
concerns about raising test anxiety for students? How were they addressed.
I am not sure we have any proctored test situations like that on our campus. Faculty were informed via email messages, 
mail outs, digital signage, etc. about the implementation of Duo, as far as I know students are allowed to authenticate 
via Duo & then the device has to be put away. I have not heard of this issue on our campus. We tried to blanket the 
campus with communication before each Duo roll out so we could get ahead of these issues.


  1.  Are you handling student registration differently than faculty and staff?  Please provide the link to any public 
documentation describing student enrollment.
For the initial rollout the Help Desk & myself staffed tables at different days & times in various locations around 
campus with laptops/tablets available to assist faculty, staff, & students with enrolling in Duo. We gave away Baylor 
gold ‘Do you? We do.’ (with the Duo logo in the last o) t-shirts to anyone who enrolled at the table or could show us 
on their mobile device that they had previously enrolled. The process started during October (National Cybersecurity 
Awareness Month) so we sponsored one Dr Pepper Hour (which is a weekly event at Baylor) where we had 10 laptops set up 
to assist in the enrollment process, t-shirts & other swag to give away, & I arranged to have the campus mascot wear 
one of our Duo t-shirts & walk around the room to encourage enrollment in Duo. We have some information available on 
this website about our MFA implementation: https://www.baylor.edu/its/weduo.



Thank You,
Will Telfer, M.S.
Information Security Analyst
Information Technology Services
[sig]
Twitter: @BearAware
Facebook: www.facebook.com/BearAware<http://www.facebook.com/BearAware>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Stefan Wahe
Sent: Wednesday, January 16, 2019 8:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] MFA Student Deployment Questions


We are trying to finalize our MFA student deployment plans.  We have received some interesting questions.  We are 
interested in how your campus managed student deployment (we are partway through our faculty/staff deployment).  I 
would appreciate a response to the following questions.


  1.  What methodology did you use to deploy MFA to students, incremental based on a variable or everyone at once?
  2.  Does your university provide students with hard tokens? If so, do the students have to pay for the token? How 
much?
  3.  How to you manage accessibility issues for students with disabilities?
  4.  How do you handle situations where students can not take a device into a proctored testing lab?  Did faculty have 
concerns about raising test anxiety for students? How were they addressed.
  5.  Are you handling student registration differently than faculty and staff?  Please provide the link to any public 
documentation describing student enrollment.

I appreciate your responses.

Sincerely – Stefan Wahe


*****************************
Stefan Wahe, CISSP
University of Wisconsin-Madison
Office of Cybersecurity
Deputy Chief Information Security Officer
HIPAA Security Officer
608-265-1177
[signature_767482743]