The following is a snapshot of the MFA Cohortium wiki space before its move to a different platform in 2014. Unfortunately, the newer content on that later platform has been lost, so this site serves as the only, if incomplete, record of the MFA Cohortium's work.
The MFA Cohortium
The MFA Cohortium is advancing the use of MFA in higher education. Cohortium participants share their explorations, experiences, expertise, artifacts, and overall roadmap to learning about, planning for, and deploying multi-factor authentication for a variety of key use cases within each institution, as well as federated access to services. The Cohortium unites a committed group of campuses in a focused 15-month effort to help themselves and others to make real progress towards MFA deployments. It will enable your institution, and higher education more broadly, to answer the questions "where do we need MFA?", "how do we deploy it?", and "what will it cost and what is our ROI?". Focused on the research and education (R&E) community, the Cohortium deals with issues and use cases of particular concern within R&E such as integrating MFA into WebSSO, sensitive data, cloud services, distance learners, bring-your-own-device, and the return on investment (ROI) within the R&E environment.
[This is a collaboration space for the members of the MFA Cohortium. While much of the material here is readable for the public, it should be considered a work in progress, subject to change without notice, unless explicitly designated otherwise.]
NOTE WELL: All Internet2 Activities are governed by the Internet2 Intellectual Property Framework.
Cohortium "products": White papers, documents and diagrams published by the Multi-factor Authentication (MFA) "Cohortium"
The following list represent the white papers, documents and diagrams that the MFA Cohortium has officially "published" to date. I.e. the Cohortium has deemed these ready for wider distribution/comment/etc. It's not that these artifacts might not continue to change as we learn more and draw from wider experiences, but that they have achieved sufficient feedback and consensus to be considered useful and ready for a wider audience.
- How Much Security Is Enough?: How much security should be built into an authentication system to mitigate the risk of incorrectly identifying the subject of an authentication event, thereby enabling an attacker to impersonate an authorized user? The answer, of course, depends on the risk tolerance of the services protected by the authentication system.
- Enterprise Deployment Strategies for Multi-Factor Authentication: The introduction of multi-factor authentication (MFA) into an institution must address multiple issues, many of which affect the deployment strategy. Among these are: business drivers, management of institutional risk, acceptance by the user community, usability and accessibility, etc. This paper discusses a few possible deployment strategies and how they address these issues.
- Diagrams providing a visual presentation of MFA Business Drivers, Deployment Decision Trees, and Integration (architecture) Patterns: (each is a PDF)
- Business Drivers for Multi-factor Authentication (MFA): An institution can come to the decision to deploy some form of multi-factor authentication (MFA), or at least an alternate factor, for a variety of reasons. This diagram illustrates some key business drivers that the MFA Cohortium has identified as reasons to begin deploying MFA within the institution. Each driver is linked with a diagram that illustrates the Deployment decision tree one might follow to confirm that the time for an MFA deployment is "now".
- Institutional MFA Decision Tree: Decision Tree (flowchart) you might follow when your primary initial driver for MFA is institutionally driven (e.g. risk management).
- User-driven MFA Decision Tree: Decision Tree (flowchart) you might follow when your primary initial driver is user driven (e.g. user concerns about their data/enhanced security).
- Achieve Assurance Level MFA Decision Tree: Decision Tree (flowchart) you might follow when your primary initial driver for MFA is to achieve InCommon Silver/higher levels of assurance without significant changes to your current password management environment.
- MFA Integration Patterns (architecture) diagrams
- Multi-Factor Authentication Solution Evaluation Criteria: This document outlines criteria that should be considered when evaluating multi-factor authentication products and services. It can also serve as "raw material" for RFPs, technical requirements, and other more formal specifications.
- Alternative Strategies When Multi-Factor Tokens Are Not Available: A requirement for multi-factor authentication, however, also carries the risk of preventing completely valid transactions when people do not have access to their second-factor tokens. The impact of this risk may be small or large, but the risk to business continuity should always be considered when deploying multi-factor authentication. This document presents potential strategies for mitigating this risk.
Currently the Business Drivers & Deployment Decision Tree diagrams linked to on that page are in a "Last call for comments" status.
Information about the Cohortium
Cohortium Meetings
Cohortium Subgroups
Information from Cohortium Members
Key related software activities
These software activities will provide significant enhancements to the ease of incorporating MFA into federated authentication and SSO environments, or in managing aspects of a MFA deployment within a campus.
- CAS and MFA – the Scalable Privacy project and the University of Utah are planning to support the creation of similar functionality as described in the above Shib RFP for CAS.
- InCert - "Open source solution to one of the primary obstacles to large-scale implementation of client certificates: installation and lifecycle management of the certificates on the client device(s). Moreover, InCert is architected to be a full-service end user device network on-boarding tool with the ability to perform functions such as setting device security policies, performing network registration functions, configuring wireless and VPN profiles, and a wealth of other campus-configured services."
Presentations related to MFA and the Cohortium
Information Related to Multi-Factor Authentication
What is the MFA Cohortium?
cohortium: "Group of institutions sharing their explorations, experiences, expertise, artifacts, and overall journey", in this case of planning for and deploying multi-factor authentication.
- Cohort: In statistics and demography, a cohort is a group of subjects who have shared a particular event together during a particular time span [cohort (statistics) from Wikipedia].
- -tium added to noun base to create abstract noun, "something connected with the act", could mean "act, condition, office of...".
The MFA Cohortium is advancing the use of MFA in higher education. Cohortium participants share their explorations, experiences, expertise, artifacts, and overall roadmap to learning about, planning for, and deploying multi-factor authentication for a variety of key use cases within each institution, as well as federated access to services. The Cohortium unites a committed group of campuses in a focused 15-month effort to help themselves and others to make real progress towards MFA deployments. It will enable your institution, and higher education more broadly, to answer the questions "where do we need MFA?", "how do we deploy it?", and "what will it cost and what is our ROI?". Focused on the research and education (R&E) community, the Cohortium deals with issues and use cases of particular concern within R&E such as integrating MFA into WebSSO, sensitive data, cloud services, distance learners, bring-your-own-device, and the return on investment (ROI) within the R&E environment.
Cohortium Membership
Even though Cohortium activities are well underway, we are still accepting applications to participate. Please use web form in Application Form for joining the MFA Cohortium.
Navigate space |
|
The MFA Cohortium wiki has moved! Please browse to its new home.