Penn State Identity Services: Two-Factor Authentication (2FA) Opt-Out Decision

Author: Identity Services Two-Factor Authentication (2FA) service team (Andrea Harrington, Sue Jones, Max Miller, Jimmy Brown, and Paul Yeager)

Revision date: 12/1/2015 Overview This document represents the Identity Services (IdS) Opt-Out (un-enroll) decision, with approval from Office of Information Security (OIS), related to the Two-Factor Authentication (2FA) service. Problem Statement The upcoming integration of WebAccess, Penn State’s single-sign-on solution, with Two-Factor Authentication (2FA) with Duo Security means that many Penn Staters will need to use 2FA in order to gain access to Penn State websites and services.

Since the process to require faculty and staff to use 2FA will be a phased-in process and the student and affiliate populations as a whole will not be required to enroll in 2FA, Identity Services (IdS) will need policies and procedures to allow individuals who have enrolled in 2FA but are not required—or not yet required—to use 2FA to un-enroll in the service.

This document is intended to address the conditions upon which an individual may opt out (un-enroll) in 2FA after having enrolled and outline the process by which the un-enrollment will be completed. Opt-Out (Un-enrollment) Decision The 2FA/WebAccess integration roll-out plan will dictate who (individuals or groups) will be required to use 2FA for WebAccess-protected sites, and the roll-out plan will also dictate when those individuals and groups will have to begin using the service.

It’s important to note, however, that the roll-out plan will not supersede the rights for the administrator(s) of a WebAccess-protected site from requiring two-factor authentication via Penn State’s 2FA service. If an individual site requires WebAccess, then all users of that site will be required to enroll in 2FA in order to gain access to all WebAccess-protected sites even if the users would not otherwise be required to use 2FA.

There are two populations of Penn Staters who may choose to un-enroll in (opt out of) 2FA after having previously enrolled:

 Students/Affiliates As a general rule, students and affiliates will not be required to use 2FA (although enrollment might be necessary in order to have access to sites or systems that are protected by a local implementation of 2FA). The un-enrollment may be requested at any time before, during, or after the roll-out of 2FA/WebAccess integration.

1 ITS Identity Services (11/17/15)  Faculty/Staff Not Yet Required to use 2FA Ultimately, the completion of the phased roll-out of the 2FA/WebAccess integration will result in all Penn State faculty and staff being required to use 2FA—and therefore be required to be enrolled in 2FA—in order to conduct business at Penn State.

However, any faculty or staff member who has enrolled in 2FA and is not yet required to use the service may un-enroll in the service until which time enrollment becomes mandatory for that individual based on the phased roll-out plan. (Note that enrollment might be necessary even for an individual or group for which it’s not yet required in order to have access to sites that are protected by a local implementation of 2FA.)

Any request to un-enroll by an individual or group other than those listed above will be escalated to IdS for consideration. Authorized The ability to un-enroll users will be limited to appropriate IT staff members (Duo Admin Panel rights are required):

 Select IT Service Desk personnel  IdS 2FA service team members  Other assigned (by IdS) IT staff

Un-enrollment Procedure The following procedure will be followed to enroll any enrolled user who meets the criteria listed above:

 Proof user by standard IT Service Desk process.

 Determine why un-enrollment is being requested.

 Confirm that Duo is not used for any other purpose (For example, the College of Engineering).

 Give user required-by date, if applicable (For example, faculty/staff will be required by end of Spring 2016).

 Confirm that the user wants to un-enroll.

 Search for the user in the admin console.

 Delete the user account from the admin console.

 Send ServiceNow ticket to IdS 2FA in order to have the user deleted from self-service portal.