Two years into a $1.8 million pilot award from the National Strategy for Trusted Identities in Cyberspace, Internet2 is busy helping higher education institutions embrace multi-factor authentication. The MFA “Cohortium” consists of 50 institutions – each in varying stages of rolling out multi-factor – that act as sounding boards and offer support.
“We’re trying to move the needle for all institutions within the U.S. when it comes to multi-factor authentication,” says David Walker, a coordinator for the MFA Cohortium. “Some are just thinking I’ve heard of it and I’m not sure what I want to do. Others know they want to do something and they’re starting to build the business case for doing it. Then there are institutions that are actively deploying. We’re trying to work in all of those areas,” says Walker, who also works with Internet2’s InCommon, an identity federation for U.S. higher education institutions.
Why cohortium? “It is a play on the word “cohort,” which is used a lot in higher education to indicate a group that moves thru a course, process or experience over the same time period,” says Michael Grady, project manager and coordinator for MFA Cohortium.
The Cohortium is for gathering and creating as much information as possible around the business and use cases for multi-factor authentication in higher education, says Grady. “Many campuses have implemented a Web single sign-on system for authentication to campus enterprise services or cloud offered services,” Grady says. “The software typically used in higher education for accessing cloud services is called Shibboleth, which supports the SAML protocol. It’s an open-source effort that came out of Internet2.”
Grady says the grant has helped fund a couple of software efforts: a connector in the Shibboleth identity provider that integrates various multi-factor technologies as well as similar functionality in Central Authentication Services – another single sign-on project that campuses use within the enterprise rather than externally with cloud services.
“The project has helped fund software that makes it easy for an institution to plug in whatever multi-function authentication technology they want to use into that single sign-on system,” Grady says.
The project also enables institutions to switch small batches of users, instead of forcing everyone to switch over at once. “When you have very large communities – a quarter million students, staff and faculty – rolling out multi-factor to the whole community simultaneously can be very expensive and almost undoable,” Walker says.
Grady says it comes down to risk versus cost. “When deploying multi-function authentication, institutions are looking for the areas of highest risk and which people are going to use that service,” Grady says. “That’s where we need to get it out to first.”
“The day of relying on passwords alone is probably gone now,” he says.
“But you can’t go from where you’re at today – from relying on passwords for everything – to having everybody at an institution use multi-function in a day, a month or even a year,” explains Grady. “Gradually it’s going to expand to include everybody, but we’re not there yet.”