Educause Security Discussion mailing list archives

Re: 2-Factor Authentication / FERPA

From: Thomas Skill <tskill1 () UDAYTON EDU>
Date: Fri, 3 Mar 2017 12:08:06 -0500

Mike -- We went "all in" with 2FA for all faculty, staff and student
employees.  Next fall all students will be able to opt in.

A few quick lessons learned:

   1. Strong "stay the course" support from all campus leadership is
   essential for successful "buy-in" by faculty
   2. Making the case for the risk and need is critical -- threats are
   real, all schools are targets and yes 2FA can help make a big difference in
   protecting us. A solid and thoughtful campus communications plan is
   required!
   3. If you have a faculty senate - work with them to sell the idea and
   win their support.
   4. Link the 2FA project to your broader cybersecurity training efforts.
    2FA does not address/solve all risks, so you must protect against folks
   assuming that "with 2FA security is now solved!"
   5. If you are going to require faculty to use 2FA for some systems, you
   should seriously consider rolling it out for all systems that you can cover
   -- the real logistics headache is getting 2FA working for the end user
   (token activation and./or smartphone push activation may require some "hand
   holding") -- If you can get faculty operational on 2FA, why not cover your
   email, ERP and LMS -- those are the most "at risk" systems that are easily
   breached with stolen/phished credentials.

Here is a link to our website on the roll-out (we even made a video to
explain the risk to faculty!)

https://udayton.edu/udit/accounts_access/2fa/about.php

Good Luck
Tom

Thomas Skill, Ph.D.
Associate Provost & CIO
Professor of Communication
Office (937) 229-4307
Fax (937) 229-4044

eMail: skill () udayton edu <tskill1 () udayton edu>
Twitter: @skilltd <https://twitter.com/skilltd>
Linkedin: skilltd <http://www.linkedin.com/in/skilltd>

UDit
University of Dayton
300 College Park
Dayton, OH 45469-2230


*GO.UDAYTON.EDU/SAFECOMPUTING <http://go.udayton.edu/SAFECOMPUTING>*


On Fri, Mar 3, 2017 at 11:36 AM, Dodor, Michael <DodorM () uwstout edu> wrote:

Greetings,



A number of regional campuses are in discussions on requiring 2-factor for
access to High Risk data and one of the elements would be non-directory
(private) FERPA records.

The consensus concern with such a rollout would be usability on such a
large scale and backlash from Faculty.



Has anyone implemented and required 2-factor authentication for faculty
accessing non-directory records? And if so, any tips?



Thank you.



Mike Dodor

Network Administrator/Information Security

Learning and Information Technology

University of Wisconsin – Stout

327 Millennium Hall

Menomonie, WI  54751

Phone: 715-232-2671 <(715)%20232-2671>

dodorm () uwstout edu

Current thread:

2-Factor Authentication / FERPA Dodor, Michael (Mar 03)
- Re: 2-Factor Authentication / FERPA Thomas Skill (Mar 03)
- Re: 2-Factor Authentication / FERPA Shawn Merdinger (Mar 03)
- Re: 2-Factor Authentication / FERPA Nicholas Garigliano (Mar 03)
  - Re: 2-Factor Authentication / FERPA Ben Marsden (Mar 03)
    - Re: 2-Factor Authentication / FERPA Shettler, David (Mar 03)
    - Re: 2-Factor Authentication / FERPA Nicholas Garigliano (Mar 03)
- <Possible follow-ups>
- Re: 2-Factor Authentication / FERPA Hudson, Edward (Mar 03)