University of Arizona
Cohortium member, University of Arizona had been looking into multi-factor authentication for years.
“We’ve been using it in various small areas and small projects,” says Gary Windham, senior enterprise systems architect in UITS. “We’ve wanted to deploy multi-factor on a broader scale for quite some time, and we’ve recently done it.”
The university offers multi-factor to students, faculty and staff on a voluntary basis. Out of more than 50,000 potential users, less than 1,000 have opted in. But Windham says the users, who heard about it through word of mouth and very limited advertising, are sending positive feedback.
“We expect to see that continue as we roll out two-factor authentication as a mandatory feature of certain enterprise systems,” Windham says. “They have the choice of enabling it for all services that utilize our campus single sign-on system.”
When a member of the campus community authenticates with their username and password, the single sign-on system then checks our enterprise directory service to see if they opted in for the two-factor service, Windham says.
There are several ways the university is enabling multi-factor authentication:
- Users can have a batch of 10 passcodes sent to their registered SMS-capable device at any time; each passcode is good for one use, and getting a new batch of 10 expires any passcodes remaining in the previous batch.
- Users can generate a passcode via a mobile app.
- Users can generate a set of “bypass codes” via a self-service, two-factor authentication management portal that are good for one use – just like those received via SMS – but can be used if the user can’t find their device.
- Users can use a Yubikey token to generate an OTP that can be used in place of standard passcodes.
Those who’ve opted in will choose from a list of devices they registered for potential use, then answer a challenge question or enter a code. Windham says the university was early in its multi-factor implementation phase when it joined the Cohortium. He says it’s provided a sounding board for ideas and a sanity check during the deployment process.
“There’s lots of areas I’m sure we haven’t thought of that other schools may have addressed,” says Windham, who wants to keep tabs on what the rest of higher education is doing with multi-factor best practices and offerings.
“Consumers are starting to expect this level of security and identity verification because their banks and social media sites are doing it,” Windham says. “The data and applications that people interact with at higher education institutions can be just as sensitive, if not more so, than the personal data that you’re managing at financial institutions.”
University of Chicago
The University of Chicago is offering multi-factor on a voluntary basis to faculty and staff only, protecting the single sign-on system and nearly 200 Web applications, says David Langenberg, senior systems programmer for identity and access management at the university.
“A user can opt in to have all of their authentication protected by two-factor – kind of similar to turning on two-factor authentication on Google – or a service itself can elect to force use of two-factor authentication,” he says.
Like the University of Arizona, they’re also in the early phase of rollout. About 400 users have signed up with nearly half opting to force all authentications to be two-factor.
“We were interested in finding a group of universities who had done this so that we could share the pain and our experiences,” Langenberg says. “Along the way, we’ve certainly had some other universities assist us with vetting our ideas.”
The University of Chicago is offering a couple of options for two-factor authentication. Users can receive a one-time code over SMS or have a service call them and read a code to use for login. The default method doesn’t require a code but instead sends a prompt to the mobile phone, alerting the user that their login is being used to access a particular system.
Langenberg says the teamwork he’s found in the Cohortium is both useful and necessary. “The password is long dead, and you need to definitely move into a security stance that involves more than one factor for authentication,” Langenberg says.
The Cohortium is made up mostly of colleges and universities, with some commercial members as well. It was created as a 15-month project, but it’s going strong with no hard ending date. Non-member institutions that want to roll out multi-factor can benefit from the work of Internet2 through its InCommon Federation. InCommon represents end users across hundreds of institutions, creating bargaining power that leverages discounts with commercial software vendors and service providers.