MFA is common place at the cohorts I interface with, and was driven by a mix of the financial aid security requirements (GLBA) finally being enforced (Dear Colleague Letter in 2014), and Internet2 Net+ collaborations starting with DUO in 2012. If you're an organization with everything behind SSO, then MFA is a pretty simple add. If your organization has a Office365 tenant, MFA comes along for free as does their federation service. Other than apathy, the barrier to adoption is pretty low.
That said, when we talk about risk, you don't necessarily have to mitigate everything to be successful i.e. every resource behind MFA. You simply need enough of the primary services enabled where a bad actor simply moves on to an easier target. If the Employee HR portal (where direct deposit info can be changed) and email are behind SSO + MFA with other primary apps, you're risk becomes significantly smaller. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Tim Cappalli Sent: Wednesday, August 19, 2020 2:01 PM To: [email protected] Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? I was saying there are very few organizations that truly have every resource, where the primary password is used, enabled for MFA. ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> on behalf of Scott Bertilson <[email protected]<mailto:[email protected]>> Sent: Wednesday, August 19, 2020 4:45:27 PM To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Tim commented: ...I highly doubt a majority of organizations have every single non-Wi-Fi resource protected with strong MFA at this point in time. In our case, we use PEAP and use the same PW for WiFi as for everything else, but most of everything else (and growing) requires MFA. I hope that's what he meant or else I'm missing something about how you make MFA work for WiFi in any large installation. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C9017b6bf7ed84dae2cfe08d84480d90a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334667477262286&sdata=mvBwerz%2FDEVShRIIxKtFZe5BAt8Jh%2BPTKBGAp6HEBV0%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
