Presentation is loading. Please wait.

Presentation is loading. Please wait.

Two Factor Authentication Protocol and the Protection of PII Steven A. Burke U.S. Department of Education 1.

Published byLilian Quinn Modified over 9 years ago

Similar presentations

Presentation on theme: "Two Factor Authentication Protocol and the Protection of PII Steven A. Burke U.S. Department of Education 1."— Presentation transcript:

1 Two Factor Authentication Protocol and the Protection of PII Steven A. Burke U.S. Department of Education 1

2 Project Overview To comply with the White House through the United States Office of Management and Budget (OMB) mandate, Memorandum M07-16 attachment 1, and as part of our ongoing efforts to ensure the security of Federal Student Aid data systems, the U.S. Department of Education is required to implement a security protocol through which all authorized users will enter two forms of “authentication” to access Federal Student Aid systems via the Internet. This process is referred to as Two Factor Authentication (TFA). 2

3 Postsecondary School Federal Financial Aid Eco-System 3 6,400 unique institutions of higher education Over 3,000 financial partners Over 90K privileged accounts Over 70M unique identities Over 320M loans Over 96M grants Supporting students in 35 countries $1T loan book Over 13M students Over 30M aid awards Over $120B injected into the eco-system each year FSA Staff: ~1,300 Contractors: ~ 10,000 Services Aid Apps Grants Loan Origination Loan Servicing Debt Collection Compliance

4 Protecting PII Keylogger Threats 4

5 What is a Keylogger? A pervasive type of malware that can: Record keystrokes Read data transferred (even over secure connections) Take screenshots of the user’s screen Transmit all stolen data back to a central location Data stolen usually includes logon IDs, Social Security numbers, bank/credit card information, etc. The most common keylogger is WSNPOEM a.k.a. “Banker” or “InfoStealer” 93% of the keylogger incidents at FSA are WSNPOEM 5

6 Respond to keylogger breaches swiftly! 6

7 Response to Keylogger Compromises Deactivate the user account immediately Contact the user and inform them what has happened and their required next steps Review audit logs for any signs of suspicious activity Unusual logon times; unusual/multiple logon IP addresses; unusual logon activity At a minimum, go back at least 60 days from the date the account was compromised Make the user provide evidence the machine has been cleansed and account is not reactivated until has been approved by the FSA Security and Privacy team Make sure a new password is required before the account is reactivated 7

8 Keylogger Countermeasures Use one-time passwords or multifactor authentication Install antivirus and malware protection: Keep them up to date (set an automatic schedule); free versions are available (AVG Antivirus, Spybot S&D Malware Prevention) There is specific antikeylogger software Do not click on links from unknown, untrusted sources Enable your firewalls and avoid peer-to-peer sites Be wary of using public computers, e.g., hotel and library computers 8

9 Two Factor Authentication Scope 9 Provide safe and secure access to FSA network services Primary systems impacted across the enterprise NSLDS, CPS, COD, AIMS, PM, FMS, and SAIG This project encompasses approximately 96K users FSA employees, Dept. of ED employees Partners Postsecondary Schools Destination Point Administrators (DPA) Guaranty Agencies Servicers, PCA’s, NFPs Call Centers, Developers, Contractors, and Sub-Contractors TFA project is focused on privileged users A privileged user is anyone who can see more than just their own personal data

10 What is Two Factor Authentication? 10 Something that you know is the First Factor: User ID and Password Something that you have is the Second Factor: Token with a One Time Password The One Time Password (OTP) will be generated by a small electronic device, known as the TFA Token, that is in the physical possession of the user To generate the OTP, a user will press the “power” button on the front of the token A different OTP will be generated each time the button is pressed Alternative Methods of obtaining OTP without TFA Token: A) Answer three Challenge Questions online B) Have the OTP sent to your Smart Phone

11 TFA Project Phases 11 Phase 1 To ensure the successful deployment of two factor tokens for FSA – Citrix users 1,300 completed 5/1/2011 Phase 2 To ensure the successful deployment of two factor tokens for Department of Education Staff and FSA Contractors approximately 5,200 users and FSA Contractors have completed 10/28/2011 Phase 3 International users, Foreign Schools (FS) and Domestic Schools, when logging into FSA systems across 35 countries completed12/31/2011 Domestic users, to ensure the successful deployment of two factor tokens for users when logging into FSA systems: 88,600 users by12/31/2012 Phase 4 Guaranty Agencies, TIVAS, Third Party Servicers, Not-for-Profits, Payment Collection Agencies (PCA), and VPN users connecting through Virtual Data Center (VDC)

12 TFA Deployment Status 12 Total TFA Tokens Deployed: 32,176 to 35 Countries Tokens Deployed to Phase III & IV for Partners: 25,594 System Update: 90% Complete NSLDS moved behind AIMS, completed on 12/18/2011 COD TFA enabled on 1/28/2012 SAIG Enrollment TFA enabled 2/12/2012 EDconnect TFA enabled 3/4/2012

13 13 TFA Token Deployment Forecast

14 Attestation/Confirmation Process For each school, the Primary Destination Point Administrator (PDPA) and the COD Security Administrator need to work together to ensure all users have been identified and receive tokens Step 1: Confirmation/Attestation Confirm/Attest to the individuals (unique users) at your school who are authorized users of one or more of the identified Federal Student Aid systems. This confirmation will only be used to determine the TOTAL NUMBER of tokens you will receive Identify any Third Party Servicer(s) supporting your school Confirm the physical street address to which tokens should be shipped, and provide a telephone number where we can contact you NOTE: We cannot ship to PO Boxes 14

15 Attestation/Confirmation Process Step 2: Federal Student Aid Ships Tokens to School The tokens will be sent to the attention of the PDPA via UPS Step 3: Token Receipt, Distribution, and Registration After the tokens are shipped, FSA will send a follow-on e-mail with more information about token distribution and registration The tokens are to be registered within 7 days of receipt 15

16 How do I Register my Token? 16 Once you receive your token you must register it for each system for which you have access to and utilize Each FSA System website will be slightly different when logging in and registering your token Next Steps: Click on the following link: https://fafsa.ed.gov/FOTWWebApp/faa/faa.jsp Then click on the Register/Maintain token URL on the top right hand side of the screen.

17 TFA Frequently Asked Questions Will I be locked out of FSA systems if I don’t have a token? Once your school has been TFA enabled (locked) a token will be required to access FSA systems I received more tokens than I have authorized users. What do I do with the extra tokens? Each token shipment will include at least one (1) extra TFA token, for use as a replacement for a lost or broken token, or for issue to a new authorized user I need more tokens. How do I get them? For additional tokens please send an e-mail to [TFA_Communications@ed.gov] We can only send tokens to the Primary DPA Do I need to provide tokens to my Third Party Servicer? No, however please indicate the name and point of contact if you have engaged a Third Party Servicer 17

18 Support Contacts Central Processing System – Financial Aid Administrators (CPS-FAA) Student Aid Internet Gateway (SAIG) Phone: 1-800-330-5947 / TTY 1-800-511-5806 E-mail: CPSSAIG@ed.govCPSSAIG@ed.gov Website: FAA Access CPS Online (https://faaaccess.ed.gov/FOTWWebApp/faa/faa.jsp)https://faaaccess.ed.gov/FOTWWebApp/faa/faa.jsp National Student Loan Data System (NSLDS) Phone: 1-800-999-8219 E-mail: nslds@ed.govnslds@ed.gov Common Origination and Disbursement (COD) Phone: COD School Relations Center 1-800-474-7268 (for Grants) Phone: COD Direct Loans 1-800-848-0978 E-mail: CODSupport@acs-inc.comCODSupport@acs-inc.com 18 Employee Enterprise Business Collaboration (EEBC) Support Hours: Monday-Friday, 8 AM – 5 PM Phone: 1-866-441-6633 E-mail: eebcservicerequest@ed.goveebcservicerequest@ed.gov eCampus-Based (eCB) Support Hours: Monday-Friday, 8 AM – 8 PM Phone: 1-877-801-7168 E-mail: cbfob@ed.govcbfob@ed.gov E-mail: secarch@ed.gov Website: The eCampus-Based System (https://cbfisap.ed.gov/ecb/CBSWebApp/welcome.jsp)https://cbfisap.ed.gov/ecb/CBSWebApp/welcome.jsp Two Factor Authentication Questions: For general questions about TFA E-mail: TFA_Communications@ed.govTFA_Communications@ed.gov

Download ppt "Two Factor Authentication Protocol and the Protection of PII Steven A. Burke U.S. Department of Education 1."

Similar presentations

AmeriCorps is introducing a new online payment system for the processing of AmeriCorps forms

AmeriCorps is introducing a new online payment system for the processing of AmeriCorps forms
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
EAuthentication Before accessing the Delphi eInvoicing System, you must be an authenticated user. This authentication process is called eAuthentication.

EAuthentication Before accessing the Delphi eInvoicing System, you must be an authenticated user. This authentication process is called eAuthentication.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Session #56 Two-Factor Authentication Steven Burke & James McMahon U.S. Department of Education.

Session #56 Two-Factor Authentication Steven Burke & James McMahon U.S. Department of Education.
1 Paying it Safe everything you need to know about making the billing and payment process efficient and painless Kimberley A. Kercheval Executive Associate.

1 Paying it Safe everything you need to know about making the billing and payment process efficient and painless Kimberley A. Kercheval Executive Associate.
National Service Trust Automation Project Training Materials: Members and Alumni Corporation for National & Community Service (CNCS) National Service Trust.

National Service Trust Automation Project Training Materials: Members and Alumni Corporation for National & Community Service (CNCS) National Service Trust.
C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?

C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?
15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.

15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Federal Student Aid Technical Architecture Initiatives James McMahon Ganesh Reddy U.S. Department of Education Session T-03.

Federal Student Aid Technical Architecture Initiatives James McMahon Ganesh Reddy U.S. Department of Education Session T-03.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
Session 7 Direct Loan Funding & Cash Management Anthony (Tony) Laing Tremayne Cobb 1.

Session 7 Direct Loan Funding & Cash Management Anthony (Tony) Laing Tremayne Cobb 1.
11-01: Get Started with SCP Supply Chain Platform Training Presentation Updated April 2009.

11-01: Get Started with SCP Supply Chain Platform Training Presentation Updated April 2009.
Mobile One-Time Password. Page 2 About Changingtec -Member of group -Focus on IT security software CompanyChanging Information Technology Inc Set upApril.

Mobile One-Time Password. Page 2 About Changingtec -Member of group -Focus on IT security software CompanyChanging Information Technology Inc Set upApril.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Live Support A “receptionist” on your website (typing) Can answer questions Transfer calls to different departments Take messages Automatically “push”

Live Support A “receptionist” on your website (typing) Can answer questions Transfer calls to different departments Take messages Automatically “push”
Achieving the Dream Leader College recognizes an institution’s impact in the effort to improve student success and eliminate achievement gaps nationwide.

Achieving the Dream Leader College recognizes an institution’s impact in the effort to improve student success and eliminate achievement gaps nationwide.
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. Emails. Safe browsing for shopping and online banks. Social media.

CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.

Similar presentations

Ads by Google