Issues Identified and Lessons to Learn

• Accessibility support
  • From device issues to accessing preferences during MFA processes
  • Which MFA approaches are already fully accessible and/or introduce new accessibility concerns? Does one need a combination of MFA technologies/devices/strategies to ensure an accessible option for all users?
  • What about incorporating user display/content presentation preferences into the MFA flow/interface(s)?

• FERPA issues in the release of PII (e.g. cell phone number) to third party authenticator
  • More generally the legal relationship between enterprise and third party authenticators
  • What do we need to ensure NET+ contracts and/or vendor contracts have sufficient language/safeguards/etc. to satisfy registrar/legal council/fall under "school officials"?

• Cloud authenticators and availability
  • DDOS attacks
  • What if/should enterprise authentication fail under external DDOS attack?
  • Generally, identify key barriers to outsourcing components of authentication such as 2nd/additional authentication factors

• Fail-over strategies
  • MFA fails more frequently (does it?), if only for environmental issues
  • “Fallback” approaches for opt-in deployment models?

• ROI of federated MFA
  • The leverage of federation and MFA is enormous, but how do we capture it/measure it/effectively document it?

• What do we (you!) hope to learn in the next 6 months from your involvement in the MFA Cohortium?
  • Possibilities:
    • If we offer MFA as an opt-in option to all users, how many take us up on that?
    • How well does the added Shibboleth Assurance/MFA support work in practice? How easy is it to integrate and deploy?
    • Same question could be asked for CAS and potentially other SSO environments.
    • Answers/guidelines/solutions/active work for all of the above issues?