Re: MFA Student Deployment Questions

["Gregg, Christopher S." <csgregg () STTHOMAS EDU>]

I’d be interested in seeing the data behind that statement as well.

That said, depending on your Microsoft licensing arrangement, their MFA offerings may not have cost anything new or 
extra.  We were already licensing the Azure AD Premium license for the Self-Service Password Reset function, and Azure 
MFA was included with that.  And since they didn’t offer a token solution at the time there was no extra cost there 
either :-)

They could also be considering that e-mail specific MFA is built in for free to both Office365 and Google now.

Chris


Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Information Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | stthomas.edu<https://www.stthomas.edu>




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Brad Judy
Sent: Thursday, January 24, 2019 11:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] MFA Student Deployment Questions

From the paper:

“Costs for a multifactor platform have decreased dramatically over the past five years.”

Having deployed Duo around five years ago, I can say that the price actually doubled in the last five years, not 
decreased. Luckily we are grandfathered into the older pricing model.

I’m not sure how the conclusion was reached that MFA costs have decreased dramatically in the last five years. That 
might be true over the last 10 years as the focus has moved from physical tokens to apps/SMS/voice (and also including 
when Microsoft bought PhoneFactor and changed their licensing model), but not for higher ed in the last five years.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cu.edu%2F&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cdcbe9d7416714bc0595808d682209d72%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636839473962605422&sdata=93e08OWBFq8sKEN9KbZCYW3r4I%2FDOFMrdzPhFwpPgJA%3D&reserved=0>

[cu-logo_fl]


From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of 
"Valerie EDU>" <vvogel () EDUCAUSE EDU<mailto:vvogel () EDUCAUSE EDU>>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Thursday, January 24, 2019 at 9:33 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] MFA Student Deployment Questions

Hi Stefan,

We just published a short paper on Two-Factor Authentication: Lessons Learned with input from several campuses. This 
may not directly address the questions listed below, but might have some useful information. Contributing 
authors/campuses are listed in the Acknowledgements section.

https://library.educause.edu/resources/2019/1/two-factor-authentication-lessons-learned<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flibrary.educause.edu%2Fresources%2F2019%2F1%2Ftwo-factor-authentication-lessons-learned&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cdcbe9d7416714bc0595808d682209d72%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636839473962615427&sdata=D5ErdCFJcWvrYgmdTRX2i8YSWlEuDLhwRgmcG0UuY%2BE%3D&reserved=0>

Thank you,
Valerie

Valerie Vogel
Interim Director, Cybersecurity Program

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5374 | Follow HEISC on 
LinkedIn<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fhigher-education-information-security-council-heisc-%2F&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cdcbe9d7416714bc0595808d682209d72%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636839473962615427&sdata=QHOuryak%2FN8FP3NVqc1eKqign33KwaZViB4jjuy%2Bd%2Fg%3D&reserved=0>
 | twitter: @HEISCouncil | vvogel () educause edu<mailto:vvogel () educause edu>

From: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on 
behalf of Stefan Wahe <0000009ffd3543ad-dmarc-request () LISTSERV EDUCAUSE EDU<mailto:0000009ffd3543ad-dmarc-request () 
LISTSERV EDUCAUSE EDU>>
Reply-To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Wednesday, January 16, 2019 at 6:49 PM
To: Security Discussion Group List <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] MFA Student Deployment Questions


We are trying to finalize our MFA student deployment plans.  We have received some interesting questions.  We are 
interested in how your campus managed student deployment (we are partway through our faculty/staff deployment).  I 
would appreciate a response to the following questions.


  1.  What methodology did you use to deploy MFA to students, incremental based on a variable or everyone at once?
  2.  Does your university provide students with hard tokens? If so, do the students have to pay for the token? How 
much?
  3.  How to you manage accessibility issues for students with disabilities?
  4.  How do you handle situations where students can not take a device into a proctored testing lab?  Did faculty have 
concerns about raising test anxiety for students? How were they addressed.
  5.  Are you handling student registration differently than faculty and staff?  Please provide the link to any public 
documentation describing student enrollment.

I appreciate your responses.

Sincerely – Stefan Wahe


*****************************
Stefan Wahe, CISSP
University of Wisconsin-Madison
Office of Cybersecurity
Deputy Chief Information Security Officer
HIPAA Security Officer
608-265-1177
[signature_767482743]