Two Factor Authentication Protocol and the Protection of PII Steven A. Burke U.S. Department of Education 1

Project Overview To comply with the White House through the United States Office of Management and Budget (OMB) mandate, Memorandum M07-16 attachment 1, and as part of our ongoing efforts to ensure the security of Federal Student Aid data systems, the U.S. Department of Education is required to implement a security protocol through which all authorized users will enter two forms of “authentication” to access Federal Student Aid systems via the Internet. This process is referred to as Two Factor Authentication (TFA). 2

Postsecondary School Federal Financial Aid Eco-System 3 6,400 unique institutions of higher education Over 3,000 financial partners Over 90K privileged accounts Over 70M unique identities Over 320M loans Over 96M grants Supporting students in 35 countries $1T loan book Over 13M students Over 30M aid awards Over $120B injected into the eco-system each year FSA Staff: ~1,300 Contractors: ~ 10,000 Services Aid Apps Grants Loan Origination Loan Servicing Debt Collection Compliance

Protecting PII Keylogger Threats 4

What is a Keylogger? A pervasive type of malware that can: Record keystrokes Read data transferred (even over secure connections) Take screenshots of the user’s screen Transmit all stolen data back to a central location Data stolen usually includes logon IDs, Social Security numbers, bank/credit card information, etc. The most common keylogger is WSNPOEM a.k.a. “Banker” or “InfoStealer” 93% of the keylogger incidents at FSA are WSNPOEM 5

Respond to keylogger breaches swiftly! 6

Response to Keylogger Compromises Deactivate the user account immediately Contact the user and inform them what has happened and their required next steps Review audit logs for any signs of suspicious activity Unusual logon times; unusual/multiple logon IP addresses; unusual logon activity At a minimum, go back at least 60 days from the date the account was compromised Make the user provide evidence the machine has been cleansed and account is not reactivated until has been approved by the FSA Security and Privacy team Make sure a new password is required before the account is reactivated 7

Keylogger Countermeasures Use one-time passwords or multifactor authentication Install antivirus and malware protection: Keep them up to date (set an automatic schedule); free versions are available (AVG Antivirus, Spybot S&D Malware Prevention) There is specific antikeylogger software Do not click on links from unknown, untrusted sources Enable your firewalls and avoid peer-to-peer sites Be wary of using public computers, e.g., hotel and library computers 8

Two Factor Authentication Scope 9 Provide safe and secure access to FSA network services Primary systems impacted across the enterprise NSLDS, CPS, COD, AIMS, PM, FMS, and SAIG This project encompasses approximately 96K users FSA employees, Dept. of ED employees Partners Postsecondary Schools Destination Point Administrators (DPA) Guaranty Agencies Servicers, PCA’s, NFPs Call Centers, Developers, Contractors, and Sub-Contractors TFA project is focused on privileged users A privileged user is anyone who can see more than just their own personal data

What is Two Factor Authentication? 10 Something that you know is the First Factor: User ID and Password Something that you have is the Second Factor: Token with a One Time Password The One Time Password (OTP) will be generated by a small electronic device, known as the TFA Token, that is in the physical possession of the user To generate the OTP, a user will press the “power” button on the front of the token A different OTP will be generated each time the button is pressed Alternative Methods of obtaining OTP without TFA Token: A) Answer three Challenge Questions online B) Have the OTP sent to your Smart Phone

TFA Project Phases 11 Phase 1 To ensure the successful deployment of two factor tokens for FSA – Citrix users 1,300 completed 5/1/2011 Phase 2 To ensure the successful deployment of two factor tokens for Department of Education Staff and FSA Contractors approximately 5,200 users and FSA Contractors have completed 10/28/2011 Phase 3 International users, Foreign Schools (FS) and Domestic Schools, when logging into FSA systems across 35 countries completed12/31/2011 Domestic users, to ensure the successful deployment of two factor tokens for users when logging into FSA systems: 88,600 users by12/31/2012 Phase 4 Guaranty Agencies, TIVAS, Third Party Servicers, Not-for-Profits, Payment Collection Agencies (PCA), and VPN users connecting through Virtual Data Center (VDC)

TFA Deployment Status 12 Total TFA Tokens Deployed: 32,176 to 35 Countries Tokens Deployed to Phase III & IV for Partners: 25,594 System Update: 90% Complete NSLDS moved behind AIMS, completed on 12/18/2011 COD TFA enabled on 1/28/2012 SAIG Enrollment TFA enabled 2/12/2012 EDconnect TFA enabled 3/4/2012

13 TFA Token Deployment Forecast

Attestation/Confirmation Process For each school, the Primary Destination Point Administrator (PDPA) and the COD Security Administrator need to work together to ensure all users have been identified and receive tokens Step 1: Confirmation/Attestation Confirm/Attest to the individuals (unique users) at your school who are authorized users of one or more of the identified Federal Student Aid systems. This confirmation will only be used to determine the TOTAL NUMBER of tokens you will receive Identify any Third Party Servicer(s) supporting your school Confirm the physical street address to which tokens should be shipped, and provide a telephone number where we can contact you NOTE: We cannot ship to PO Boxes 14

Attestation/Confirmation Process Step 2: Federal Student Aid Ships Tokens to School The tokens will be sent to the attention of the PDPA via UPS Step 3: Token Receipt, Distribution, and Registration After the tokens are shipped, FSA will send a follow-on with more information about token distribution and registration The tokens are to be registered within 7 days of receipt 15

How do I Register my Token? 16 Once you receive your token you must register it for each system for which you have access to and utilize Each FSA System website will be slightly different when logging in and registering your token Next Steps: Click on the following link: Then click on the Register/Maintain token URL on the top right hand side of the screen.

TFA Frequently Asked Questions Will I be locked out of FSA systems if I don’t have a token? Once your school has been TFA enabled (locked) a token will be required to access FSA systems I received more tokens than I have authorized users. What do I do with the extra tokens? Each token shipment will include at least one (1) extra TFA token, for use as a replacement for a lost or broken token, or for issue to a new authorized user I need more tokens. How do I get them? For additional tokens please send an to We can only send tokens to the Primary DPA Do I need to provide tokens to my Third Party Servicer? No, however please indicate the name and point of contact if you have engaged a Third Party Servicer 17

Support Contacts Central Processing System – Financial Aid Administrators (CPS-FAA) Student Aid Internet Gateway (SAIG) Phone: / TTY Website: FAA Access CPS Online ( National Student Loan Data System (NSLDS) Phone: Common Origination and Disbursement (COD) Phone: COD School Relations Center (for Grants) Phone: COD Direct Loans Employee Enterprise Business Collaboration (EEBC) Support Hours: Monday-Friday, 8 AM – 5 PM Phone: eCampus-Based (eCB) Support Hours: Monday-Friday, 8 AM – 8 PM Phone: Website: The eCampus-Based System ( Two Factor Authentication Questions: For general questions about TFA