From device issues to accessing preferences during MFA processes
Which MFA approaches are already fully accessible and/or introduce new accessibility concerns? Does one need a combination of MFA technologies/devices/strategies to ensure an accessible option for all users?
What about incorporating user display/content presentation preferences into the MFA flow/interface(s)?
FERPA issues in the release of PII (e.g. cell phone number) to third party authenticator
More generally the legal relationship between enterprise and third party authenticators
What do we need to ensure NET+ contracts and/or vendor contracts have sufficient language/safeguards/etc. to satisfy registrar/legal council/fall under "school officials"?
Cloud authenticators and availability
DDOS attacks
What if/should enterprise authentication fail under external DDOS attack?
Generally, identify key barriers to outsourcing components of authentication such as 2nd/additional authentication factors
Fail-over strategies
MFA fails more frequently (does it?), if only for environmental issues
“Fallback” approaches for opt-in deployment models?
ROI of federated MFA
The leverage of federation and MFA is enormous, but how do we capture it/measure it/effectively document it?
What do we (you!) hope to learn in the next 6 months from your involvement in the MFA Cohortium?
Possibilities:
If we offer MFA as an opt-in option to all users, how many take us up on that?
How well does the added Shibboleth Assurance/MFA support work in practice? How easy is it to integrate and deploy?
Same question could be asked for CAS and potentially other SSO environments.
Answers/guidelines/solutions/active work for all of the above issues?