This is a collaboration space for the Deployment Strategies Subgroup of the MFA Cohortium. Unless otherwise designated, everything contained here should be viewed as a work in progress, subject to change without notice.
The Deployment Strategies Subgroup explores common deployment issues related to the deployment of multi-factor authentication. Issues include:
- Requirements for users and services
- Options for users (e.g., user choice to require MFA)
- Strategies for inclusion of naive users and users who may be reluctant to use the new technology.
- Policy and legal issues (e.g., FERPA, HIPAA)
- Registration and credentialing
- Frameworks (e.g., NIST 800-63) and principles for deploying multi-factor authentication
- Operational Issues
Meetings
The Deployment Strategies Subgroup meets every other week via conference call on alternate Fridays, 2:00p-3:00p ET, starting August 2, 2013.
The deployment@lists.cohortium.internet2.edu list is used for communication between meetings.
- Deployment Strategies Subgroup Meetings
- Agendas and Notes
- 1/31/2014 - 2:00-3:00 ET [Agenda, Notes]
- 1/17/2014 - 2:00-3:00 ET [Agenda, Notes]
- 12/6/2013 - 2:00-3:00 ET [Agenda, Notes]
- 11/22/2013 - 2:00-3:00 ET [Agenda, Notes]
- 11/08/2013 - 2:00-3:00 ET [Agenda, Notes]
- 10/25/2013 - 2:00-3:00 ET [Agenda, Notes]
- 10/11/2013 - 2:00-3:00 ET [Agenda, Notes]
- 9/27/2013 - 2:00-3:00 ET [Agenda, Notes]
- 9/13/2013 - 2:00-3:00 ET [Agenda, Notes]
- 8/30/2013 - 2:00-3:00 ET [Agenda, Notes]
- 8/16/2013 - 2:00-3:00 ET [Agenda, Notes]
- 8/2/2013, 2:00-3:00 ET [Agenda, Notes]
Work in Progress
White Papers
- Alternatives Strategies When Multi-Factor Tokens Are Not Available
- Alternative Strategies When Multi-Factor Tokens Are Not Available - Examples from Cohortium Participants - Add your strategies here.
Topics for Future Discussion
- How does (should?) MFA affect SSO session lifetime? What are the best practices?
- Strategies for achieving acceptance of requirements to use MFA?
- Increased session timeouts
- Physical characteristics of tokens and how they're used
- Require MFA only when needed (for specific roles/services, or in specific geographic locations)
- Start with an opt-in deployment to build a community of enthusiasts