The following is a snapshot of the MFA Cohortium wiki space before its move to a different platform in 2014. Unfortunately, the newer content on that later platform has been lost, so this site serves as the only, if incomplete, record of the MFA Cohortium's work.
The MFA Cohortium
The MFA Cohortium is advancing the use of MFA in higher education. Cohortium participants share their explorations, experiences, expertise, artifacts, and overall roadmap to learning about, planning for, and deploying multi-factor authentication for a variety of key use cases within each institution, as well as federated access to services. The Cohortium unites a committed group of campuses in a focused 15-month effort to help themselves and others to make real progress towards MFA deployments. It will enable your institution, and higher education more broadly, to answer the questions "where do we need MFA?", "how do we deploy it?", and "what will it cost and what is our ROI?". Focused on the research and education (R&E) community, the Cohortium deals with issues and use cases of particular concern within R&E such as integrating MFA into WebSSO, sensitive data, cloud services, distance learners, bring-your-own-device, and the return on investment (ROI) within the R&E environment.
[This is a collaboration space for the members of the MFA Cohortium. While much of the material here is readable for the public, it should be considered a work in progress, subject to change without notice, unless explicitly designated otherwise.]
NOTE WELL: All Internet2 Activities are governed by the Internet2 Intellectual Property Framework.
(Draft) MFA Roadmap
Cohortium "products": White papers, documents and diagrams published by the Multi-factor Authentication (MFA) "Cohortium"
The following list represent the white papers, documents and diagrams that the MFA Cohortium has officially "published" to date. I.e. the Cohortium has deemed these ready for wider distribution/comment/etc. It's not that these artifacts might not continue to change as we learn more and draw from wider experiences, but that they have achieved sufficient feedback and consensus to be considered useful and ready for a wider audience.
- How Much Security Is Enough?: How much security should be built into an authentication system to mitigate the risk of incorrectly identifying the subject of an authentication event, thereby enabling an attacker to impersonate an authorized user? The answer, of course, depends on the risk tolerance of the services protected by the authentication system.
- Enterprise Deployment Strategies for Multi-Factor Authentication: The introduction of multi-factor authentication (MFA) into an institution must address multiple issues, many of which affect the deployment strategy. Among these are: business drivers, management of institutional risk, acceptance by the user community, usability and accessibility, etc. This paper discusses a few possible deployment strategies and how they address these issues.
- Diagrams providing a visual presentation of MFA Business Drivers, Deployment Decision Trees, and Integration (architecture) Patterns: (each is a PDF)
- Business Drivers for Multi-factor Authentication (MFA): An institution can come to the decision to deploy some form of multi-factor authentication (MFA), or at least an alternate factor, for a variety of reasons. This diagram illustrates some key business drivers that the MFA Cohortium has identified as reasons to begin deploying MFA within the institution. Each driver is linked with a diagram that illustrates the Deployment decision tree one might follow to confirm that the time for an MFA deployment is "now".
- Institutional MFA Decision Tree: Decision Tree (flowchart) you might follow when your primary initial driver for MFA is institutionally driven (e.g. risk management).
- User-driven MFA Decision Tree: Decision Tree (flowchart) you might follow when your primary initial driver is user driven (e.g. user concerns about their data/enhanced security).
- Achieve Assurance Level MFA Decision Tree: Decision Tree (flowchart) you might follow when your primary initial driver for MFA is to achieve InCommon Silver/higher levels of assurance without significant changes to your current password management environment.
- MFA Integration Patterns (architecture) diagrams
- Business Drivers for Multi-factor Authentication (MFA): An institution can come to the decision to deploy some form of multi-factor authentication (MFA), or at least an alternate factor, for a variety of reasons. This diagram illustrates some key business drivers that the MFA Cohortium has identified as reasons to begin deploying MFA within the institution. Each driver is linked with a diagram that illustrates the Deployment decision tree one might follow to confirm that the time for an MFA deployment is "now".
- Multi-Factor Authentication Solution Evaluation Criteria: This document outlines criteria that should be considered when evaluating multi-factor authentication products and services. It can also serve as "raw material" for RFPs, technical requirements, and other more formal specifications.
- Alternative Strategies When Multi-Factor Tokens Are Not Available: A requirement for multi-factor authentication, however, also carries the risk of preventing completely valid transactions when people do not have access to their second-factor tokens. The impact of this risk may be small or large, but the risk to business continuity should always be considered when deploying multi-factor authentication. This document presents potential strategies for mitigating this risk.
MFA Business Drivers, Deployment Decision Tree and Integration Patterns
Currently the Business Drivers & Deployment Decision Tree diagrams linked to on that page are in a "Last call for comments" status.
Information about the Cohortium
- What Is the MFA Cohortium?
- Call for Participation -- The Multi-factor Authentication (MFA) "Cohortium"
- Cohortium Goals and Outcomes
- Cohortium Work Schedule
- Cohortium Participants
- Issues Identified and Lessons to Learn
- Cohortium Applications (restricted access)
- Summary of Applications (restricted access)
- The NSTIC-sponsored Internet2 Scalable Privacy (ScalePriv) Project
Collection of Multi-factor Authentication Reference Materials
- Multi-factor Authentication Reference Materials (on Scalable Privacy website)
- The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes
- University of Pennsylvania's Two Factor (two-step) Deployment
- Eve Maler's (of Forrester Research) Presentation to the MFA Cohortium on 2013-12-11 (Restricted access: Note you must be authenticated to this wiki to access this.) Presentation about Eve's research on user authentication and how it is changing. In particular, about MFA: the growing need for, technologies to support, and environments in which it needs to be deployed.
Cohortium Meetings
- Cohortium Meetings
- Agenda and Notes
- 03/19/2014, 2:00-3:00 PM EDT [Agenda, Recording, Notes]
- 03/05/2014, 2:00-3:00 PM EDT [Agenda, Recording, Notes]
- 02/19/2014, 2:00-3:00 PM EDT [Agenda, Recording, Notes]
- 02/05/2014, 2:00-3:00 PM EDT [Agenda, Recording, Notes]
- 01/22/2014, 2:00-3:00 PM EDT [Agenda, Recording, Notes]
- 01/08/2014, 2:00-3:00 PM EDT [Agenda, Recording, Notes]
- 12/11/2013, 2:00-3:00 PM EDT [Agenda, Recording, Notes]
- 11/27/2013, 2:00-3:00 PM EDT [Agenda, Recording, Notes]
- 11/13/2013, 2:00-3:00 PM EDT - Canceled
- 10/30/2013, 2:00-3:00 PM EDT [Agenda, Recording, Notes]
- 10/16/2013, 2:00-3:00 PM EDT [Agenda, Recording] This includes the Penn presentation (given by Chris Hyzer) on Penn's deployment of MFA into their campus SSO (Cosign).
- 10/2/2013, 2:00-3:00 PM EDT [Agenda, Recording]
- 9/18/2013, 2:00-3:00 PM EDT - Canceled
- 9/4/2013, 2:00-3:00 PM EDT [Agenda, Recordings]
- 8/21/2013, 2:00-3:00 PM EDT [Agenda, Recordings (no audio after ~36:00), Notes]
- 8/7/2013, 2:00-3:00 PM EDT [Agenda, Recording, Notes] This includes the Duke presentation (given by Rob Carter) on Duke's deployment of MFA into the Shib IdP.
- 7/24/2013, 2:00-3:00 PM EDT [Agenda, Recording, Notes]
- 7/10/2013, 2:00-3:00 PM EDT [Agenda, Recording, Notes]
- 6/26/2013, 2:00-3:00 PM EDT [Agenda, Recording, Notes]
- 6/12/2013, 2:00-3:00 PM EDT [Agenda, Recording]
- 5/29/2013, 2:00-3:00 PM EDT [Announcement, Agenda, Presentation (pdf), Recording]
Cohortium Subgroups
- Business Case Subgroup
- Deployment Strategies Subgroup
- Technology Issues Subgroup
- Product and Vendor Issues Subgroup
- Background information regarding the Cohortium Subgroups
Information from Cohortium Members
- Status of Multi-Factor Authentication at Cohortium Member Institutions contains a table showing a very high-level status of MFA deployment at the Cohortium member institutions. It also contains links to documents and other information about the members' deployments of multi-factor authentication.
Key related software activities
These software activities will provide significant enhancements to the ease of incorporating MFA into federated authentication and SSO environments, or in managing aspects of a MFA deployment within a campus.
- CAS and MFA – the Scalable Privacy project and the University of Utah are planning to support the creation of similar functionality as described in the above Shib RFP for CAS.
- InCert - "Open source solution to one of the primary obstacles to large-scale implementation of client certificates: installation and lifecycle management of the certificates on the client device(s). Moreover, InCert is architected to be a full-service end user device network on-boarding tool with the ability to perform functions such as setting device security policies, performing network registration functions, configuring wireless and VPN profiles, and a wealth of other campus-configured services."
Presentations related to MFA and the Cohortium
- Factoring the Authentication Equation: Integrating Multi-factor Authentication into CAS/Shibboleth (A session at Open Apereo 2013 Conference (Jasig & Sakai))
- Given by Mike Grady and Andrew Petro, video of presentation and slides available.
- IAM Online on the MFA Cohortium: "The Multi-factor Authentication (MFA) Cohortium – What is it and what do we hope to accomplish?", Wednesday, Sept. 11, 3pm EDT
- Given by Mike Grady, David Walker, and Eric Goodman; PDF of presentation ; attended by about 160 individuals representing > 100 institutions
- Surveys from presentation:
Information Related to Multi-Factor Authentication
- Strong Authentication for Everyone presented by Pieter van der Meulen and Roland van Rijswijk at the 2013 Internet2 Annual Meeting.
What is the MFA Cohortium?
cohortium: "Group of institutions sharing their explorations, experiences, expertise, artifacts, and overall journey", in this case of planning for and deploying multi-factor authentication.
- Cohort: In statistics and demography, a cohort is a group of subjects who have shared a particular event together during a particular time span [cohort (statistics) from Wikipedia].
- -tium added to noun base to create abstract noun, "something connected with the act", could mean "act, condition, office of...".
The MFA Cohortium is advancing the use of MFA in higher education. Cohortium participants share their explorations, experiences, expertise, artifacts, and overall roadmap to learning about, planning for, and deploying multi-factor authentication for a variety of key use cases within each institution, as well as federated access to services. The Cohortium unites a committed group of campuses in a focused 15-month effort to help themselves and others to make real progress towards MFA deployments. It will enable your institution, and higher education more broadly, to answer the questions "where do we need MFA?", "how do we deploy it?", and "what will it cost and what is our ROI?". Focused on the research and education (R&E) community, the Cohortium deals with issues and use cases of particular concern within R&E such as integrating MFA into WebSSO, sensitive data, cloud services, distance learners, bring-your-own-device, and the return on investment (ROI) within the R&E environment.
Cohortium Membership
Even though Cohortium activities are well underway, we are still accepting applications to participate. Please use web form in Application Form for joining the MFA Cohortium.