General Discussion

  • 1.  Two factor authentication at the institution level

    STAR CONTRIBUTOR
    Posted 01-04-2021 12:14
    Hello friends,
    I hope everyone had a good holiday break and you were able to get some time away.

    In an effort to boost security, some sponsors are moving to adopt two-factor authentication for accounts, most notably login.gov and NIH. This is great.... generally! However, we have a number of "institutional" accounts that we use to access information with an admin username and password. The login information is kept in a central spot so that when needs arise within the office, multiple people are able to access as necessary. With two-factor authentication, as you may know, the second factor is tied to a phone number or secondary device to authenticate the person trying to access the account. This could cause some crossed wires on the best of days within an office that isn't distributed, but throw in people working from home and devices / phones not quite all synchronized, and there are some hiccup points!

    My questions are pretty general. How are your institutions handling this (or maybe they aren't)? Do you know of any best practices for two-factor authentication with shared, institutional accounts?

    ------------------------------
    Augusta Isley
    Senior Proposal Manager
    Ball State University
    amwray@bsu.edu
    ------------------------------


  • 2.  RE: Two factor authentication at the institution level

    Posted 01-05-2021 05:57
    August,

    I think this going to be a huge issue and I'm hoping the sponsors work this out in the months to come.  We have had to buy a central cell phone for the 2FA. It's my understanding there are desktop 2FA options, but that doesn't change the issue at hand.  Luckily the sponsors already requiring it (Dept of State, Homeland Security, etc.) are not high volume sponsors, for us, so we've been able to manage.  It's hassle for sure, and increases the administrative burden, but we've dealt with it.

    We decided immediately to hold off on the NIH portals until June in hopes that the process is improved upon before mandatory implementation in September.  We know it's going to be a headache for all the reasons you mentioned...and we're an R15 school.  I can't imagine how this would be addressed at a medical school.

    An alternative on the table it to have individuals use personal devices to log in most of the time and then submit under a central account, or perhaps submit under their own accounts where portals permit that.  That would reduce hassle, but now asks employees to use personal resources for business purposes.  That introduces a whole different set of issues (partial compensation for their phone - which no one has money for; possibility of their personal phone being confiscated should something go bad - extreme, but I've seen it happen more than once, etc.).

    Sorry, not much help there!
    David

    ------------------------------
    David Smelser
    Assistant Director, Sponsored Programs
    University of Tennessee
    ------------------------------



  • 3.  RE: Two factor authentication at the institution level

    STAR CONTRIBUTOR
    Posted 01-05-2021 06:22
    Commiseration is also helpful. Just to know we aren't the only ones muddling through. :D

    All of the IT security things I've read, not necessarily linked to higher education, have indicated individuals should have their own accounts. Because of course having a centralized account with multiple users logging in is a poor security practice. But with the way that some sponsor submission portals are set up, it is not feasible or even correct for individuals to have their own accounts.

    ------------------------------
    Augusta Isley
    Senior Proposal Manager
    Ball State University
    amwray@bsu.edu
    ------------------------------



  • 4.  RE: Two factor authentication at the institution level

    Posted 01-11-2021 07:22
    Hi David,

    While this does increase the administrative burden, especially on institutions with a large number of grants with federal agencies, it is apparent that the need to increase the security of sensitive information is also at an all-time high. Also, I would like to point out that the Department of Education already has a two-factor authentication, which has three points of access for the second authentication. Once you have used your device for any login, as you might guess, it can't be used for any other login. Therefore, I use the call me feature when logging in to any account other than our institutional one. Still, you can also use the text feature if your profile has a cellphone attached. I used my office number, which is why they call me to feature works for me. I think we have this to look forward to, and quite frankly, it might be better than changing passwords every five minutes as we do now.

    Have a great one everyone!

    Nichelle

    ------------------------------
    Nichelle Edwards
    Director, Office Sponsored Programs
    The Chicago School of Professional Psychology
    ------------------------------



  • 5.  RE: Two factor authentication at the institution level

    Posted 01-05-2021 12:58
    Hi Augusta.

    At UC Berkeley's Sponsored Projects Office, we set up a shared email account for our officers, then we used Twilio to provision a phone number and configure it to forward incoming text messages to the email account. This has been very useful.

    Some services use a different kind of 2nd factor where they have a robot voice telling you to press a number. We have successfully tested coding Twilio to do this, but we need to be careful about security implications. If the verification just needs someone to press a number, then our bot blindly sending a touch-tone would allow a potential hacker in if they had our credentials. On the other hand, if the verification speaks out a code after our side sends a touch-tone, then it would be secure to record/transcribe the call and forward it to our shared email account.

    ------------------------------
    Ken Geis
    Acting IT Director
    University of California, Berkeley
    ------------------------------



  • 6.  RE: Two factor authentication at the institution level

    SUPERSTAR CONTRIBUTOR
    Posted 01-05-2021 15:14
    Great question, Augusta.  I was concerned about this as well, because it also raises the issue of using personal devices for work and the implications of that practice (I don't know about you, but my institution does not provide me a cell phone for business use!).

    Fortunately, while it's "not preferred", login.gov allows the use of backup codes alone if you don't have a cell phone or other approved device:

    https://www.login.gov/help/creating-an-account/no-phone-or-other-authentication-method/

    We have not yet discussed it broadly as an institutional practice, but it seems a reasonable option for those who share accounts (or simply don't want to mix business with pleasure :-).

    Happy New Year, everyone!

    ------------------------------
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    Lisa Churchill
    Sr. Grants Information Manager
    The Salk Institute for Biological Studies
    ------------------------------



  • 7.  RE: Two factor authentication at the institution level

    Posted 01-07-2022 08:00
    Hello -

    I followed this post last year and just wanted to check in and find out if you had come up with a solution.  More and more sites seem to be moving to this and things are getting complicated when it comes to sharing accounts.   I know there are texting apps that can receive codes to say, an office ipad but it seems there are security issues with those too.

    Would love any additional input.  Our office highly discourages use of personal phones for this and will not purchase an office cell phone.

    ------------------------------
    Amy Moakley
    Research Information Coordinator
    University of Oklahoma
    ------------------------------



  • 8.  RE: Two factor authentication at the institution level

    Posted 01-07-2022 16:14
    Hi Amy. I'm replying off-list because I already mentioned UC Berkeley's solution to the list.

    We used Twilio to create a phone number that forwards text messages to an email address that every officer has access to. This took a few hours of technical work (with no prior Twilio experience). Our Sponsored Projects Office is thrilled with this because it used to be a manager's personal phone number and then officers would ask her for the code. This is costing us less than $2/month to maintain.

    Please feel free to forward my email address (kgeis@berkeley.edu) to someone in your organization (although on my side, I'll probably hand it over to the person who did the work!)


    Ken
    --
    Ken Geis (he/him/his) 
    Director, IT
    Research Administration and Compliance 
    University of California, Berkeley 
    LinkedIn | rac.berkeley.edu | berkeley.edu





  • 9.  RE: Two factor authentication at the institution level

    SUPERSTAR CONTRIBUTOR
    Posted 01-10-2022 09:19
    Hi Amy,

    While we don't share credentials in our office, our Investigators do (with their AAs, etc), and they've found the following workaround really helpful (Mac-centric, but should work on PCs as well, with the appropriate software):

    Go ahead and set up a phone as the first method.  THEN:

    You'll need to do this (once) on any computer that wants to use the Authenticator App method.  Chrome Authenticator is the only App for Mac OS (there are others for iOS, I believe) that is supported/endorsed by login.gov (according to their website).

    1.  Open Chrome and Download Chrome Authenticator Extension
    https://chrome.google.com/webstore/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai?hl=en

    2.  Quit Chrome and re-open it
    3.  Click the Extensions button to the right of the location bar in Chrome (looks like a puzzle piece): 

    4.  From dropdown, choose three dots next to Authenticator and choose "Pin" (that will put the extension on your location bar-it looks like a QR code:   and will be next to the extensions widget now)

    5.  Go to https://secure.login.gov/ and login (using whatever 2-factor is currently set up-likely phone)

    6.  Select "Enable..." or "Add Authenticator App" and follow the instructions (use the mouse to scan the QR code if one comes up, or click the Auth extension on the location bar and enter the six digits).

    7.  Next time you begin to login to NIH (even if you're on a different browser): also go to Chrome, to login.gov, then click the little QR button next to the location bar.  The six-digit number there will work on the browser you're using to login for eRA Commons.

    Cheers,
    -Lisa


    Lisa Churchill (she, her)
    DIRECTOR, GRANTS ADMINISTRATION
    PH (858) 453-4100 x1309  FX (858) 535-9663
    E churchill@salk.edu
    Salk Institute Logo
     
    Salk Institute for Biological Studies
    10010 N Torrey Pines Rd  La Jolla, CA 92037
    WWW.SALK.EDU







  • 10.  RE: Two factor authentication at the institution level

    Posted 01-10-2022 10:31
    Oh, I intended to reply off-list, but since I'm here... ��

    Anyone on this thread, feel free to contact me about using Twilio.


    Ken
    --
    Ken Geis (he/him/his) 
    Director, IT
    Research Administration and Compliance 
    University of California, Berkeley 
    LinkedIn | rac.berkeley.edu | berkeley.edu