General Discussion

Expand all | Collapse all

Two factor authentication at the institution level

  • 1.  Two factor authentication at the institution level

    NEW MEMBER
    Posted 21 days ago
    Hello friends,
    I hope everyone had a good holiday break and you were able to get some time away. 

    In an effort to boost security, some sponsors are moving to adopt two-factor authentication for accounts, most notably login.gov and NIH. This is great.... generally! However, we have a number of "institutional" accounts that we use to access information with an admin username and password. The login information is kept in a central spot so that when needs arise within the office, multiple people are able to access as necessary. With two-factor authentication, as you may know, the second factor is tied to a phone number or secondary device to authenticate the person trying to access the account. This could cause some crossed wires on the best of days within an office that isn't distributed, but throw in people working from home and devices / phones not quite all synchronized, and there are some hiccup points! 

    My questions are pretty general. How are your institutions handling this (or maybe they aren't)? Do you know of any best practices for two-factor authentication with shared, institutional accounts?

    ------------------------------
    Augusta Isley
    Senior Proposal Manager
    Ball State University
    amwray@bsu.edu
    ------------------------------


  • 2.  RE: Two factor authentication at the institution level

    NEW MEMBER
    Posted 20 days ago
    August,

    I think this going to be a huge issue and I'm hoping the sponsors work this out in the months to come.  We have had to buy a central cell phone for the 2FA. It's my understanding there are desktop 2FA options, but that doesn't change the issue at hand.  Luckily the sponsors already requiring it (Dept of State, Homeland Security, etc.) are not high volume sponsors, for us, so we've been able to manage.  It's hassle for sure, and increases the administrative burden, but we've dealt with it. 

    We decided immediately to hold off on the NIH portals until June in hopes that the process is improved upon before mandatory implementation in September.  We know it's going to be a headache for all the reasons you mentioned...and we're an R15 school.  I can't imagine how this would be addressed at a medical school.

    An alternative on the table it to have individuals use personal devices to log in most of the time and then submit under a central account, or perhaps submit under their own accounts where portals permit that.  That would reduce hassle, but now asks employees to use personal resources for business purposes.  That introduces a whole different set of issues (partial compensation for their phone - which no one has money for; possibility of their personal phone being confiscated should something go bad - extreme, but I've seen it happen more than once, etc.).

    Sorry, not much help there!
    David

    ------------------------------
    David Smelser
    Assistant Director, Sponsored Programs
    University of Tennessee
    ------------------------------



  • 3.  RE: Two factor authentication at the institution level

    NEW MEMBER
    Posted 20 days ago
    Commiseration is also helpful. Just to know we aren't the only ones muddling through. :D 

    All of the IT security things I've read, not necessarily linked to higher education, have indicated individuals should have their own accounts. Because of course having a centralized account with multiple users logging in is a poor security practice. But with the way that some sponsor submission portals are set up, it is not feasible or even correct for individuals to have their own accounts.

    ------------------------------
    Augusta Isley
    Senior Proposal Manager
    Ball State University
    amwray@bsu.edu
    ------------------------------



  • 4.  RE: Two factor authentication at the institution level

    NEW MEMBER
    Posted 14 days ago
    Hi David,

    While this does increase the administrative burden, especially on institutions with a large number of grants with federal agencies, it is apparent that the need to increase the security of sensitive information is also at an all-time high. Also, I would like to point out that the Department of Education already has a two-factor authentication, which has three points of access for the second authentication. Once you have used your device for any login, as you might guess, it can't be used for any other login. Therefore, I use the call me feature when logging in to any account other than our institutional one. Still, you can also use the text feature if your profile has a cellphone attached. I used my office number, which is why they call me to feature works for me. I think we have this to look forward to, and quite frankly, it might be better than changing passwords every five minutes as we do now.

    Have a great one everyone!

    Nichelle

    ------------------------------
    Nichelle Edwards
    Director, Office Sponsored Programs
    The Chicago School of Professional Psychology
    ------------------------------



  • 5.  RE: Two factor authentication at the institution level

    NEW MEMBER
    Posted 20 days ago
    Hi Augusta.

    At UC Berkeley's Sponsored Projects Office, we set up a shared email account for our officers, then we used Twilio to provision a phone number and configure it to forward incoming text messages to the email account. This has been very useful.

    Some services use a different kind of 2nd factor where they have a robot voice telling you to press a number. We have successfully tested coding Twilio to do this, but we need to be careful about security implications. If the verification just needs someone to press a number, then our bot blindly sending a touch-tone would allow a potential hacker in if they had our credentials. On the other hand, if the verification speaks out a code after our side sends a touch-tone, then it would be secure to record/transcribe the call and forward it to our shared email account.

    ------------------------------
    Ken Geis
    Acting IT Director
    University of California, Berkeley
    ------------------------------



  • 6.  RE: Two factor authentication at the institution level

    NEW MEMBER
    Posted 20 days ago
    Great question, Augusta.  I was concerned about this as well, because it also raises the issue of using personal devices for work and the implications of that practice (I don't know about you, but my institution does not provide me a cell phone for business use!).

    Fortunately, while it's "not preferred", login.gov allows the use of backup codes alone if you don't have a cell phone or other approved device:

    https://www.login.gov/help/creating-an-account/no-phone-or-other-authentication-method/

    We have not yet discussed it broadly as an institutional practice, but it seems a reasonable option for those who share accounts (or simply don't want to mix business with pleasure :-).

    Happy New Year, everyone!

    ------------------------------
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    Lisa Churchill
    Sr. Grants Information Manager
    The Salk Institute for Biological Studies
    ------------------------------