Educause Security Discussion mailing list archives
Re: 2-Factor Authentication / FERPA
From: Thomas Skill <tskill1 () UDAYTON EDU>
Date: Fri, 3 Mar 2017 12:08:06 -0500
Mike -- We went "all in" with 2FA for all faculty, staff and student employees. Next fall all students will be able to opt in. A few quick lessons learned: 1. Strong "stay the course" support from all campus leadership is essential for successful "buy-in" by faculty 2. Making the case for the risk and need is critical -- threats are real, all schools are targets and yes 2FA can help make a big difference in protecting us. A solid and thoughtful campus communications plan is required! 3. If you have a faculty senate - work with them to sell the idea and win their support. 4. Link the 2FA project to your broader cybersecurity training efforts. 2FA does not address/solve all risks, so you must protect against folks assuming that "with 2FA security is now solved!" 5. If you are going to require faculty to use 2FA for some systems, you should seriously consider rolling it out for all systems that you can cover -- the real logistics headache is getting 2FA working for the end user (token activation and./or smartphone push activation may require some "hand holding") -- If you can get faculty operational on 2FA, why not cover your email, ERP and LMS -- those are the most "at risk" systems that are easily breached with stolen/phished credentials. Here is a link to our website on the roll-out (we even made a video to explain the risk to faculty!) https://udayton.edu/udit/accounts_access/2fa/about.php Good Luck Tom Thomas Skill, Ph.D. Associate Provost & CIO Professor of Communication Office (937) 229-4307 Fax (937) 229-4044 eMail: skill () udayton edu <tskill1 () udayton edu> Twitter: @skilltd <https://twitter.com/skilltd> Linkedin: skilltd <http://www.linkedin.com/in/skilltd> UDit University of Dayton 300 College Park Dayton, OH 45469-2230 *GO.UDAYTON.EDU/SAFECOMPUTING <http://go.udayton.edu/SAFECOMPUTING>* On Fri, Mar 3, 2017 at 11:36 AM, Dodor, Michael <DodorM () uwstout edu> wrote:
Greetings, A number of regional campuses are in discussions on requiring 2-factor for access to High Risk data and one of the elements would be non-directory (private) FERPA records. The consensus concern with such a rollout would be usability on such a large scale and backlash from Faculty. Has anyone implemented and required 2-factor authentication for faculty accessing non-directory records? And if so, any tips? Thank you. Mike Dodor Network Administrator/Information Security Learning and Information Technology University of Wisconsin – Stout 327 Millennium Hall Menomonie, WI 54751 Phone: 715-232-2671 <(715)%20232-2671> dodorm () uwstout edu
Current thread:
- 2-Factor Authentication / FERPA Dodor, Michael (Mar 03)
- Re: 2-Factor Authentication / FERPA Thomas Skill (Mar 03)
- Re: 2-Factor Authentication / FERPA Shawn Merdinger (Mar 03)
- Re: 2-Factor Authentication / FERPA Nicholas Garigliano (Mar 03)
- Re: 2-Factor Authentication / FERPA Ben Marsden (Mar 03)
- Re: 2-Factor Authentication / FERPA Shettler, David (Mar 03)
- Re: 2-Factor Authentication / FERPA Nicholas Garigliano (Mar 03)
- Re: 2-Factor Authentication / FERPA Ben Marsden (Mar 03)
- <Possible follow-ups>
- Re: 2-Factor Authentication / FERPA Hudson, Edward (Mar 03)