October is National Cybersecurity Awareness Month (NCSAM) in the U.S. and the second week of NCSAM 2018 is focused on higher education. NCSAM was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online.

Following last year’s successful campaign with Utah Valley University (UVU) and the National Cyber Security Alliance (NCSA), we thought it would be interesting to talk this year about how higher education institutions are adopting multi-factor authentication (MFA) – also referred to as two-factor authentication ‒ across the community.

In 2017, NCSA worked with its public relations firm, Thatcher+Co., to conduct a cybersecurity outreach saturation campaign for UVU’s campus community. The aim was to make students and staff more aware of cybersecurity and to encourage faculty, staff, and students to implement MFA using Duo Security’s services. With strong support from the university’s executive team, including the president, UVU rolled out mandatory MFA for faculty and optional multi-factor for students. Additionally, a survey was deployed to understand what UVU students know about cybersecurity, what they are doing to be safe online, and what they want to know about cybersecurity. The campus campaign also included social media, video, and email outreach, digital and traditional signage, and booths on campus encouraging students to opt in to MFA.

The campaign, “Lock Down Your Login with The National Cyber Security Alliance and Utah Valley University: A Campus Cyber Saturation Campaign,” includes statistics from the UVU survey about its MFA outreach efforts. This write-up provides a helpful resource for other institutions seeking to accelerate deployment of MFA on their campuses.

UVU is not alone in this journey. Most U.S. colleges and universities are in the process of adopting MFA on their campus or extending their deployments to include faculty, staff, students, alumni, and everyone else in their community as a way to ensure their constituents are protected. These efforts have been in response to phishing incidents, increasing government information security and data protection requirements, and institutional support for improving information security on campuses. These changes over the last few years have made getting high level buy-in on campuses for broad deployments of MFA less difficult than in the past when deployments weren’t as common.

In the 2016 EDUCAUSE Core Data Service survey, institutions were asked about the status of MFA deployments on campus and 73 percent of respondents were either tracking, planning, partially deployed, or deployed institution wide. Six percent of campuses have deployed institution wide, protecting their entire community. The 2018 CDS survey is underway and will show how campuses have been expanding MFA deployments on their campuses.

One campus that has an MFA deployment in November this year is Old Dominion University (ODU). To protect against phished credentials, ODU will require two-factor authentication through its Single Sign-On system. The university will have an awareness campaign in October during NCSAM to prepare their campus for the deployment.  “We are fortunate to have a strong information security program at ODU, but no organization is immune from being successfully attacked,” Doug Streit, ODU’s chief information security officer said. “Two-factor authentication protects us by requiring a registered device that is in the possession of the account holder in order to complete the authentication. This is something a remote attacker will find difficult to overcome.” A member of the Internet2 Duo advisory board, Streit helps provide oversight and guidance to the Internet2 program.

Internet2 has managed a program in collaboration with Duo Security since 2012 focused on making MFA available to campuses and engaging with the community on deployment challenges specific to higher education. The program currently includes 154 participating campuses with MFA deployments reaching more than 1.2 million faculty and staff and almost two million students, based on IPEDS data from 2017. This is only a subset of the overall higher education community adopting MFA on their campuses. The Internet2 Duo program was designed working with the Internet2 Duo advisory board campuses, Duo, and Internet2, with terms and conditions intended to meet the needs of higher education. This program has experienced 15 percent growth over the last year since October 2017 and 34 percent growth from October 2016. This program has advanced MFA deployments throughout the higher education community.

It is our shared responsibility to provide stronger authentication options that will empower students, faculty, and staff to better protect their campuses, data and identities. While MFA deployment efforts are expanding rapidly across colleges and universities in the U.S., organizations like EDUCAUSE, Internet2, and NCSA will continue working together to raise awareness about the effectiveness of two-factor or multi-factor authentication and share lessons learned.

Higher education has several community resources around MFA on campuses:

• The EDUCAUSE Higher Education Information Security Council (HEISC) has developed an Information Security Guide toolkit on two-factor and multi-factor authentication: https://spaces.at.internet2.edu/display/2014infosecurityguide/Two-Factor+Authentication

Internet2 Resources:

• Internet2/Duo program: https://www.internet2.edu/products-services/cloud-services-applications/duo-security/
• Internet2 Trust and Identity in Education and Research program: https://www.internet2.edu/vision-initiatives/initiatives/trust-identity-education-research/
• MFA Cohortium where campuses shared white papers, documents and diagrams: https://spaces.at.internet2.edu/display/mfacohortium/Home

Internet2 will have several sessions at the Technology Exchange 2018 in Orlando, FL, October 15-18,  where we will convene the community to discuss MFA and many other topics of interest to higher education information security, including a presentation from Jacob Farmer from Indiana University on: “All In: Lessons from a Mass Multifactor Authentication Roll-out”: https://meetings.internet2.edu/2018-technology-exchange/detail/10005152/

Higher education speakers have given numerous presentations at different conferences where they have shared best practices and details of their deployments.

Duo Security also has several resources for campuses on deploying Duo:

• Videos: https://duo.com/resources/videos
• Other resources: https://duo.com/resources

Many campuses have shared their deployment resources with the rest of the community:

• Baylor University: https://www.baylor.edu/its/index.php?id=863033
• Indiana University: https://one.iu.edu/task/iu/duo
• New York University: http://www.nyu.edu/life/information-technology/getting-started/netid-and-password/mfa.html
• Northwestern: https://www.it.northwestern.edu/security/multi-factor-authentication/
  • Including posters for their campus: https://www.it.northwestern.edu/bin/docs/iso/Cybersecurity-Print-MFA-11×17.pdf
• Old Dominion University: https://www.odu.edu/ts/access/two-factor-authentication
• Penn State University: https://www.identity.psu.edu/services/authentication-services/two-factor/
• University of Maryland Baltimore County: https://wiki.umbc.edu/display/faq/Two-Factor+Authentication+with+DUO
• Utah Valley University: https://www.uvu.edu/oit/security/twofactor/
• Virginia Tech: https://www.tech.it.vt.edu/2factor/

About NCSA: https://staysafeonline.org/about/

About Internet2: https://www.internet2.edu/about-us/

About EDUCAUSE: https://www.educause.edu/about

About Duo: https://duo.com/about

About the Author

Nick Lewis (CISSP) is a Program Manager for Security and Identity at Internet2, where he manages the NET+ security and identity services portfolio, while also contributing to the development of new NET+ offerings in cloud security. Nick rejoined Internet2 in 2015, after previously working here from 2002-2007. Nick has also held positions in information security at the University of Michigan and most recently was Director of IT Security and Compliance and Information Security Officer at Saint Louis University.  He has also worked for Children’s Hospital Boston as an Information Security Manager and Michigan State University as an Information Technologist. Nick holds master’s degrees in information assurance from Norwich University and telecommunications from Michigan State University.

[1] https://staysafeonline.org/wp-content/uploads/2018/01/NCSAM-2017-FINAL-Report.pdf