Recap: Oct 2015 - July 2016

UCLA Campus Multi-Factor Authentication

In the Beginning

MFA High-level Decision Diagram - B. Bellina, Nov 2015

Most of my first year at UCLA I was dedicated to the development and implementation of the campus Multi-Factor Authentication solution. Of course MFA was nothing new to Higher Ed and presentations going back to 2011 were readily available (IAMOnline has several). UCLA had adopted hardware tokens at one point in the past, not to great acclaim, and MFA was not seriously considered until 2015 when it was proposed by Albert Wu following a security event. It was then adopted as an Information Security program under the interim director of IT Security Michael Story. At the time I was hired in late 2015 the Duo product for MFA had been selected and the campus Shibboleth Single Sign-On (SSO) implementation was being considered as the first major implementation for the campus to adopt MFA, with other services such as department VPN's to follow. I had practical MFA experience from my time at USC. In 2013 while managing IdM at USC, I presented at the EDUCAUSE Annual conference on the topic and a year before Russell Beall on my team had developed and presented a functional prototype of a groups-driven Shibboleth SSO implementation with Duo for MFA. The prototype was shelved until 2015 when, after an Information Security leadership change, it was resuscitated and my former team at USC, now under Asbed Bedrossian's leadership, quickly productionalized the prototype and implemented MFA with Shibboleth, first rolling it out to 570 IT and critical staff and then expanding to all 15,000 staff on December 1, 2015.

Shibboleth Login MFA flow for UCLA - B. Bellina, Nov 2015

Although some investigative work at UCLA was done in the final quarter of 2015, the official "Multi-Factor Authentication" project kick-off was January 27, 2016. The goal was to have a functional MFA solution developed by Memorial Day running on the Shibboleth Identity Provider v3. Our currently implemented Shibboleth IdP v2 was going to be end-of-lifed in June 2016 along with SAML 1 support so we had to plan the IdP v3 upgrade and migrate all SAML 1 SP's to SAML 2 as well as integrate MFA. After a QA period we would then upgrade the IdP begin controlled and optional enrollment of MFA in May. Considering the complexity of the UCLA environments it was an aggressive schedule but the fixed end-of-life of Shibboleth IdP v2 made this a firm deadline. We held discussions with the IdM teams at both USC and Penn State to discuss their MFA Duo implementations. At that point Penn State was closing in on 10,000 enrolled staff/faculty MFA users with plans to enroll all 25,000 faculty and staff by May. While documenting our requirements we considered the work done elsewhere, all of which had been done for IdP v2: Duo's own Shibboleth IdPv2 plug-in, a Duo MFA on demand IdP v2 solution proposed by Russ Beall here <https://wiki.shibboleth.net/confluence/display/SHIB2/Duo+2FA+On+Demand>, and the IdP v2 Shibboleth Multi-Context Broker. In the end we contracted with Unicon and John Gasper worked with us to develop our own custom IdP v3 logic that leveraged the standard eduPersonEntitlement attribute which we populated from Grouper groups. It was tight but the compiled code was turned over by Memorial Day and even included the hooks needed to support the AuthnContextClassRef profile for MFA being proposed by InCommon.

B. Bellina, Feb 2016

Talking the Talk

Along the way, in addition to developing technical requirements, working with Unicon, and getting the test and QA environments set up, there needed to be continuous communication to campus groups to belay fears, avoid misunderstandings, develop partnerships, and request feedback. Often these communications were in the form of presentations and because of my experience in that area I had several opportunities in the months between January and June to both contribute to presentations and give them. It was for one of the early presentations that I applied the tagline "As Simple as 1... 2... 3" which in one form or another continued to be used in UCLA MFA literature for years afterward.

A partial list of presentations given in 2016 at UCLA include:

• Jan 12 - IAMUCLA Townhall
• Feb 17 - UCLA Info Sec Ask the Experts "Multi-Factor Authentication"
• Mar 8 - IAMUCLA Townhall
• Mar 22 - Common Systems Group meeting - "Multi-Factor Authentication"
• Apr 14 - DIIT Spring Staff Meeting "IT Services Information Security Program"
• Apr 26 - Common Systems Group meeting - "Deploying Multi-Factor Authentication with UCLA Logon"
• Apr 27 - BruinTech Tech-a-thon "Multi-Factor Authentication: The UCLA Campus Service"
• May 3 - IAMUCLA Townhall
• Jun 27 - DACSS Training half-day seminar "Multi-Factor Authentication"
• Nov 17 - BruinTech Brown Bag "Multi-Factor Authentication"

There were also opportunities in 2016 and even 2017 to present to larger audiences as well at UC, InCommon, and Internet2 events including:

• May 17, 2016 - Internet2 Global Summit "MFA for Campus Services"
• Sept 27, 2016 - Internet2 TechEx "Mischief Managed NOW: Securing Campus SSO with Multi-Factor Authentication"
• Nov 9, 2016 - IAMOnline "Measured Rollout for Multi-Factor Authentication (MFA)"
• June 20, 2017 - Info Sec Symposium, UC Davis, "Developing a Multi-Factor Authentication Program at UCLA"

Walking the Walk

The MFA production rollout began on time in June 2016 with 9 enrolled users on June 6 performing 40 MFA-enabled logons a day. By June 29 there were 129 enrolled users performing over 700 MFA-enabled logons per day. My time on the project ended in July but the rollout continued to the campus community and eventually enhancements were done to the enrollment user interface.

• By end of 2016 there were over 700 users enrolled.
• By end of June 2017 there were over 2,500 users enrolled.
• October 31, 2017 all non-medical faculty and staff are required to use MFA to access campus applications through SSO and campus VPN, increasing enrollment to over 26,000.
• By end of 2017 there were over 31,000 users enrolled performing over 50,000 MFA-enabled logons per day.
• April 17, 2018 all students are required to use MFA to access campus applications through SSO and campus VPN, increasing enrollment to over 71,000 and performing over 100,000 MFA-enabled logons per day.

Because all incoming UCLA employees and students are now mandated to use MFA in order to access web applications, including the new payroll system, the numbers continue to rise. At this time UCLA is undoubtedly one of the largest Duo MFA implementations of any university in the United States.

This was a project I am proud to have been a part of and I remain grateful to Albert Wu for giving me the opportunity.