August,
I think this going to be a huge issue and I'm hoping the sponsors work this out in the months to come. We have had to buy a central cell phone for the 2FA. It's my understanding there are desktop 2FA options, but that doesn't change the issue at hand. Luckily the sponsors already requiring it (Dept of State, Homeland Security, etc.) are not high volume sponsors, for us, so we've been able to manage. It's hassle for sure, and increases the administrative burden, but we've dealt with it.
We decided immediately to hold off on the NIH portals until June in hopes that the process is improved upon before mandatory implementation in September. We know it's going to be a headache for all the reasons you mentioned...and we're an R15 school. I can't imagine how this would be addressed at a medical school.
An alternative on the table it to have individuals use personal devices to log in most of the time and then submit under a central account, or perhaps submit under their own accounts where portals permit that. That would reduce hassle, but now asks employees to use personal resources for business purposes. That introduces a whole different set of issues (partial compensation for their phone - which no one has money for; possibility of their personal phone being confiscated should something go bad - extreme, but I've seen it happen more than once, etc.).
Sorry, not much help there!
David
------------------------------
David Smelser
Assistant Director, Sponsored Programs
University of Tennessee
------------------------------
Original Message:
Sent: 01-04-2021 12:13
From: Augusta Isley
Subject: Two factor authentication at the institution level
Hello friends,
I hope everyone had a good holiday break and you were able to get some time away.
In an effort to boost security, some sponsors are moving to adopt two-factor authentication for accounts, most notably login.gov and NIH. This is great.... generally! However, we have a number of "institutional" accounts that we use to access information with an admin username and password. The login information is kept in a central spot so that when needs arise within the office, multiple people are able to access as necessary. With two-factor authentication, as you may know, the second factor is tied to a phone number or secondary device to authenticate the person trying to access the account. This could cause some crossed wires on the best of days within an office that isn't distributed, but throw in people working from home and devices / phones not quite all synchronized, and there are some hiccup points!
My questions are pretty general. How are your institutions handling this (or maybe they aren't)? Do you know of any best practices for two-factor authentication with shared, institutional accounts?
------------------------------
Augusta Isley
Senior Proposal Manager
Ball State University
amwray@bsu.edu
------------------------------