(Draft) MFA Roadmap (Draft)

How does one go about establishing the use of MFA within one's institution? What are the steps one will need to go through? The MFA Cohortium has been working on a lot of documents, diagrams, etc., but there is nothing to bring that all together into a cohesive whole yet. This draft document is an attempt to begin doing so.

Step 1: Establish the business case for why MFA is important enough to focus some resources – priority, time, money, people – on it now.

• See our Business Case subgroup materials
• Example: University of Washington - Elements of Justification
• Risk analysis examples
• Cost examples, Return on Investment examples

Step 2: Generate the specific list of applications that you will start with, and the population of users that will be impacted.

Step 3: Given the above, Establish "How much Security is Enough?"

Step 4: Decide on an Enterprise Deployment Strategy for Multi-Factor Authentication.

The following diagrams present an additional/alternative visual flow chart approach to deciding on an initial deployment strategy for MFA, and how that might integrate with your current Identity Management infrastructure/architecture. Each diagram is a PDF.

• Business Drivers for Multi-factor Authentication (MFA): An institution can come to the decision to deploy some form of multi-factor authentication (MFA), or at least an alternate factor, for a variety of reasons. This diagram illustrates some key business drivers that the MFA Cohortium has identified as reasons to begin deploying MFA within the institution. Each driver is linked with a diagram that illustrates the Deployment decision tree one might follow to confirm that the time for an MFA deployment is "now".
  • Institutional MFA Decision Tree: Decision Tree (flowchart) you might follow when your primary initial driver for MFA is institutionally driven (e.g. risk management).
  • User-driven MFA Decision Tree: Decision Tree (flowchart) you might follow when your primary initial driver is user driven (e.g. user concerns about their data/enhanced security).
  • Achieve Assurance Level MFA Decision Tree: Decision Tree (flowchart) you might follow when your primary initial driver for MFA is to achieve InCommon Silver/higher levels of assurance without significant changes to your current password management environment.
• MFA Integration Patterns (architecture) diagrams
  • Single sign-on (SSO) MFA Integration Pattern
  • Application-based MFA Integration Pattern
  • VPN/Network/Password Portal MFA Integration Pattern

Step 5: Generate an RFP and/or evaluate the MFA technology solutions/vendors as to how they meet the needs you've identified, and the deployment/integration pattern you've chosen to focus on.

• Multi-Factor Authentication Solution Evaluation Criteria This document outlines criteria that should be considered when evaluating multi-factor authentication products and services. It can also serve as "raw material" for RFPs, technical requirements, and other more formal specifications.

Step 6: Consider alternative strategies when multi-factor tokens are not available (e.g. I'm required to do MFA but I forgot my device/it isn't working/etc.), and decide, which, if any are needed/applicable for your deployment.

Step 7: Marketing and Support needs: What kind of marketing/user information campaign will be needed to explain to users what you are doing and why, and how they will be impacted? And what additional user support/help desk/FAQs will be needed to support the deployment and operation of MFA?

Step 8: Create your Project Plan for deployment of MFA.

Step 9: Execute your plan

Step 10: Support it ????