I sat down virtually with Illinois State University’s Interim Chief Information Security Officer Dan Taube to get the scoop on the Multi-Factor Authentication (MFA) campus-wide rollout.
Dan, thanks for taking the time to answer give us better understanding of what MFA is and why it is important.
I’ll start with an easy one. Tell us a little bit about MFA and why Illinois State is implementing it?
Multi Factor Authentication, or MFA for short, provides enhanced security for user accounts. Simply, it provides an additional protection beyond the basic username and password we are familiar with. With MFA in place, even if you were to have your password guessed or stolen, the attacker will not be able to sign into your account.
Will MFA be required to access all ISU systems?
We are currently releasing MFA for our Office 365 services. After April 30, 2021, all students, faculty, and staff will need to set MFA up to reach their email, install the Microsoft Office programs, or use cloud services like Teams and OneDrive. We will have a separate effort to implement the same MFA for other services at a later time.
So, if it is only Office 365, are we really that protected?
Yes, certainly. With the introduction of MFA for Office 365, we are not only protecting the data within Office 365. We are also removing access to a key resource that threat actors use to attack us further: email. That said, this is just one step of many in our effort to Secure the Bird. Information security truly requires a defense-in-depth approach.
How can MFA stop phishing and other cyberattacks? Is it worth the effort to implement this?
As I alluded to for the previous question, with MFA for Office 365, we are taking away the ability for threat actors to use our own email system to attack us. And others for that matter.
When a member of the University is compromised in an attack, their account is often used to send 1000s of phishing emails to other students, staff, and faculty. Since the compromised account is a member of the University, it will bypass protections in place for external senders. Additionally, recipients of the message will often trust the message as legitimate. We find that this results in more victims and additional compromises that then lead to more attacks and so on.
With MFA, will are not preventing the initial phishing or loss of a password, but instead stopping use of it. This then keeps the account, the data stored with it, and the rest of the University safe from attack.
In terms of it being worth it, you need to recognize the value of accounts and the data they have access to. When that is compromised, there can be direct financial impact to individuals and the institution that greatly surpass the inconvenience MFA admittedly introduces.
There are people that are concerned this will be an extra step to getting to their account. What can you say about that?
Since this is a security protection at the user level, we could not make it invisible. However, we were able to make decisions on when and how MFA would show as to minimize impact to the user experience. A prime example of this is how users on the campus network will not be challenged by MFA. Another would be how we allow users to register their device for a period of time after the initial challenge.
That said, I recognize that some concerns are a result of poor communication and awareness of information security risks and protections. This is something that I will be working with University leadership to improve in the coming months.
Is there any truth to the rumor that we will have to authenticate on-campus every day?
There is a little bit of nuance in answering that question.
First, if a user is on campus and connected to the campus network, they will not see MFA.
However, if they are physically on campus, but on a different network, such as cellular service, then they may see MFA. This will ultimately depend on if they registered their device during the last MFA prompt. If the user selects the box to not ask for MFA during their sign-in, it will not challenge them for that program again for that period.
Where can people get help if they are concerned about setting it up properly?
The Technology Support Center is the providing full support of MFA for all users. Their contact information:
Technology Support Center
115 Julian Hall
Illinois State University
Campus Box 4000
Normal, Il 61790-4000
Email: SupportCenter@ilstu.edu
Phone: (309) 438-4357
Phone Hours:
7:30 a.m.-10 p.m. Monday-Friday
10 a.m.-6:30 p.m. Saturday-Sunday
Thank you very much to Dan Taube for his time giving us the scoop on Multi-Factor Authentication.