Two Factor Authentication Steven Burke U.S. Department of Education 2012 Software Developers Webinar #3
Agenda Project Overview Postsecondary School Federal Financial Aid Eco-System Project Scope Project Phases and Deployment Status TFA Attestation Lifecycle TFA Attestation/Confirmation Process Registration Scenarios Frequently Asked Questions Additional Resources
Project Overview In 2010 an estimated 90,000 accounts were identified accessing FSA systems without a second factor authentication. FSA hosts at least 80 million records - all currently unprotected in accordance with industry best practices and Office of Management and Budget (OMB) mandate M-07-16. The U.S. Department of Education is implementing a security protocol through which all authorized users will be required to enter two forms of “authentication” to access Federal Student Aid systems via the Internet. This process is referred to as Two Factor Authentication (TFA).
Postsecondary School Federal Financial Aid Eco-System 6,400 unique institutions of higher education Over 3,000 financial partners Over 90K privileged accounts Over 70M unique identities Over 320M loans Over 96M grants Supporting students in 35 countries $1T loan book Over 13M students Over 30M aid awards Over $120B injected into the eco-system each year FSA Staff: ~1,300 Contractors: ~ 10,000 Services Aid Apps Grants Loan Origination Loan Servicing Debt Collection Compliance
Two Factor Authentication Scope Provide safe and secure access to FSA network services Primary systems impacted across the enterprise NSLDS, CPS, COD, AIMS, PM, FMS, and SAIG This project encompasses approximately 90K users FSA employees, Dept. of ED employees Partners Postsecondary School Destination Point Administrators (DPA) Guaranty Agencies Servicers, PCAs, NFPs Call Centers, Developers, Contractors, and Sub-Contractors TFA project is focused on privileged users A privileged user is anyone who can see more than just their own personal data
What is Two Factor Authentication? Something that you know is the First Factor: User ID and Password Something that you have is the Second Factor: Token with a One Time Password The One Time Password (OTP) will be generated by a small electronic device, known as the TFA Token, that is in the physical possession of the user To generate the OTP, a user will press the “power” button on the front of the token A different OTP will be generated each time the button is pressed Alternative Methods of obtaining OTP without TFA Token: A) Answer three Challenge Questions online B) Have the OTP sent to your Smart Phone
TFA Project Phases Phase 1 To ensure the successful deployment of two factor tokens for FSA – Citrix users; 1,300 completed 5/1/2011 Phase 2 To ensure the successful deployment of two factor tokens for Department of Education Staff and FSA Contractors; approximately 5,200 users and FSA Contractors completed 10/28/2011 Phase 3 International users, Foreign Schools (FS) and Domestic Schools, when logging into FSA systems across 35 countries; completed12/31/2011 Domestic users, to ensure the successful deployment of two factor tokens for users when logging into FSA systems; 88,600 users by 12/31/2012 Phase 4 Guaranty Agencies, TIVAS, Third Party Servicers, Not-for-Profits, Payment Collection Agencies (PCA), and VPN users connecting through Virtual Data Center (VDC)
TFA Deployment Status Total TFA Tokens Deployed: 48,280 in the USA and 35 Countries Tokens Deployed to Phase III & IV for Partners: 41,698 Partner tokens registered: 23,357 Percent Registered: 56% System Update: 90% Complete NSLDS moved behind AIMS, completed on 12/18/2011 COD TFA enabled on 1/28/2012 SAIG Enrollment TFA enabled 2/12/2012 EDconnect TFA enabled 3/4/2012
TFA Attestation Lifecycle
TFA -Token Deployment Forecast As of 8/17/2012 Group State Initial Estimated Schools/Users Estimated Completion Lockout Date Revised Lockout Date Attestation Completed Estimated Completion Lockout 3/2011 347 Schools 1,529 Users 10/30/2011 10/30/2012 347 Schools ( 1,444 ) Users 6 AR 3/2011 521 Schools 6,122 Users 8/3/2012 8/17/2012 ( ) Schools ( ) Users FS CO DeVry GA KS MO 1 DC 3/2011 323 Schools 2,622 Users 2/27/2012 6/8/2012 6/8/2012 315 Schools ( 2,913 ) Users DE 7 AZ 3/2011 631 Schools 7,158 Users 9/7/2012 11/23/2012 As of 8/17/2012 ( ) Schools ( ) Users MD CT VA IA WV IL IN 2 NC 3/2011 742 Schools 5,154 Users 3/16/2012 6/8/2012 607 Schools ( 4,791 ) Users LA NJ NY 8 AL 3/2011 502 Schools 3,362 Users 10/12/2012 ( ) Schools ( ) Users SC AS FC 3 KY 3/2011 866 Schools 6,615 Users 4/20/2012 7/20/2012 As of 8/17/2012 ( 788 ) Schools ( 6,360 ) Users FM MI GU NE HI NH MA OH ME PA MH RI MP VT MS TN 4 3/2011 780 Schools 8,155 Users 5/25/2012 As of 8/17/2012 ( 513 ) Schools ( 5,524) Users CA 9 MT 3/2011 455 Schools 3,470 Users 11/16/2012 ( ) Schools ( ) Users FL NM NV PR 5 AK 3/2011 643 Schools 5,740 Users 6/29/2012 As of 8/17/2012 ( 469 ) Schools ( 3,852 ) Users PW ID UT MN WA ND WI OR WY SD TX
Attestation/Confirmation Process For each school, the Primary Destination Point Administrator (PDPA) and the COD Security Administrator need to work together to ensure all users have been identified and receive tokens Step 1: Confirmation/Attestation Confirm/Attest to the individuals (unique users) at your school who are authorized users of one or more of the identified Federal Student Aid systems. This confirmation will only be used to determine the TOTAL NUMBER of tokens you will receive Identify any Third Party Servicer(s) supporting your school Confirm the physical street address to which tokens should be shipped, and provide a telephone number where we can contact you NOTE: We cannot ship to PO Boxes
Attestation/Confirmation Process Step 2: Federal Student Aid Ships Tokens to School The tokens will be sent to the attention of the PDPA via UPS Step 3: Token Receipt, Distribution, and Registration After the tokens are shipped, FSA will send an e-mail with more information about token distribution and registration The tokens are to be registered within 7 days of receipt
Attestation/Confirmation Process To expedite the attestation/confirmation process: Click “reply” to respond to the attestation email message (Please do not change the subject line.) Example Subject Line: GR6 - AR - University Of Central Arkansas - 00109200 - Attestation Required Complete the TFA Attestation form embedded in the attestation email
Attestation/Confirmation Process
How do I register my token? Once you receive your token you must register it once for the systems behind PM (NSLDS, CPS and SAIG/EDconnect) and once for each COD account. Each FSA System website will be slightly different when logging in and registering your token Next Steps: Click on the following link: https://fafsa.ed.gov/FOTWWebApp/faa/faa.jsp Then click on the Register/Maintain token URL on the top right hand side of the screen.
TFA Registration Scenarios John has access to NSLDS, CPS and SAIG. He will need to register his token only once. Participation Management (PM) COD NSLDS, CPS FFA, SAIG John Doe FSA user ID: John.Doe.FSA Token S/N: AVT 886123456 N/A TFA Registration Scenario 2 John has access to NSLDS, CPS and SAIG and has (1) COD user ID. He will need to register his token (2) times. Participation Management (PM) COD NSLDS, CPS FFA, SAIG John Doe FSA user ID: John.Doe.FSA Token S/N: AVT 886123456 John Doe COD user ID: JDOE01 Token S/N: AVT 886123456
TFA Registration Scenarios John has access to NSLDS, CPS and SAIG and has (3) COD user IDs. He will need to register his token (4) times. Participation Management (PM) COD NSLDS, CPS FFA, SAIG John Doe FSA user ID: John.Doe.FSA Token S/N: AVT 886123456 John Doe COD user ID: JDOE01 COD user ID: JDOE02 COD user ID: JDOE03 Token S/N: AVT 886123456 TFA Registration Scenario 4 John has access to COD and has (1) COD user ID. He will need to register his token only once. Participation Management (PM) COD NSLDS, CPS FFA, SAIG N/A John Doe COD user ID: JDOE01 Token S/N: AVT 886123456
TFA Registration Scenarios John has access to COD and has (3) COD user IDs. He will need to register his token (3) times. Participation Management (PM) COD NSLDS, CPS FFA, SAIG N/A John Doe COD user ID: JDOE01 COD user ID: JDOE02 COD user ID: JDOE03 Token S/N: AVT 886123456
TFA Frequently Asked Questions Will I be locked out of FSA systems if I don’t have a token? Once your school has been TFA enabled (locked) a token will be required to access FSA systems I received more tokens than I have authorized users. What do I do with the extra tokens? Each token shipment will include at least one (1) extra TFA token, for use as a replacement for a lost or broken token, or for issue to a new authorized user I need more tokens. How do I get them? For additional tokens please send an e-mail to [TFA_Communications@ed.gov] We can only send tokens to the Primary DPA Do I need to provide tokens to my Third Party Servicer? No, however please indicate the name and point of contact if you have engaged a Third Party Servicer
Support Contacts Two Factor Authentication Questions: For general questions about TFA E-mail: TFA_Communications@ed.gov Central Processing System – Financial Aid Administrators (CPS-FAA) Student Aid Internet Gateway (SAIG) Phone: 1-800-330-5947 / TTY 1-800-511-5806 E-mail: CPSSAIG@ed.gov Website: FAA Access CPS Online (https://faaaccess.ed.gov/FOTWWebApp/faa/faa.jsp) National Student Loan Data System (NSLDS) Phone: 1-800-999-8219 E-mail: nslds@ed.gov Common Origination and Disbursement (COD) Phone: COD School Relations Center 1-800-474-7268 (for Grants) Phone: COD Direct Loans 1-800-848-0978 E-mail: CODSupport@acs-inc.com Employee Enterprise Business Collaboration (EEBC) Support Hours: Monday-Friday, 8 AM – 5 PM Phone: 1-866-441-6633 E-mail: eebcservicerequest@ed.gov eCampus-Based (eCB) Support Hours: Monday-Friday, 8 AM – 8 PM Phone: 1-877-801-7168 E-mail: cbfob@ed.gov E-mail: secarch@ed.gov Website: The eCampus-Based System (https://cbfisap.ed.gov/ecb/CBSWebApp/welcome.jsp)
Contact Information We appreciate your feedback and comments. Please contact: Leslie A. Willoughby Phone: (202) 377- 3896 Email Leslie.Willoughby@ed.gov