And the Survey Says: Implementation of MFA Now More Commonplace

By Nick Lewis - Internet2 Program Manager

Estimated reading time: 3 minutes

I’m not sure how many of you remember 2020, but most of it is a blur for me. In 2019, the NET+ Duo Service Advisory Board decided to conduct a multi-factor authentication (MFA) Community Survey to better understand how their peers used MFA and then build on the results to drive additional community adoption of MFA. We have conducted focused surveys on student usage and how different parts of a campus might license Duo as well. Coordination of the survey is a prime example of NET+ working with the community to understand how they use cloud services, so campuses can identify areas for collaboration and sharing best practices. (Other NET+ programs are doing Institutional Profiles to understand how their peers are using specific cloud services.) 

The survey was distributed to the community in May 2020. Even with the pandemic bearing down on campuses, we received 165 survey responses from 146 institutions in four countries. This tells me the community wanted to understand how MFA was used across the community: 

• Almost all respondents (98%) have at least some experience implementing MFA. 
• The majority of institutions (68%) support only one MFA option for their users. 
• Among the MFA products supported, 82% of respondents currently use Cisco Duo with several other MFA providers receiving mention in the survey. 

Survey Highlight: Remember Me?

One of the most requested and asked questions around MFA usage has been around the Remember Me functionality. As part of the community participating in the survey, we’re sharing the results for this question with you. Here are the results from that section of the full report:

Of the 146 responding institutions, only 10% do not support a “remember me” feature at all. Nearly a quarter (23%) allow “remember me” for a full month, and 4% allow it for a three-month period. Another 25% allow some period between one week and fifteen days. To cover a full workday, 13% allow “remember me” for 24 hours, while another 11% allow it for either 12, 10 or 8 hours. One responding site supports “remember me” for a three-day period, while another supports it for only one hour. Approximately 13% of respondents indicated that “remember me” periods are application-specific or related to the risk level of the data being accessed.

The full report with analysis of the data is only available to NET+ Duo subscribing campuses. Please contact the NET+ program if you would like access to the full report. 

Acknowledgements

The survey results report was delayed several times, and I would like to thank Oren Sreebny and Paul Erickson for starting the data analysis for the report. A special thanks goes to RuthAnne Bevier for pulling everything together and completing the report. 

Next Steps

As we reviewed the report, we thought of additional questions to ask in a future survey. We’re planning for an MFA Community survey in 2023 to see how MFA usage has changed in the last three three years and delve into more details. Stay tuned for more information.

In the meantime, the EDUCAUSE Core Data Service survey has a question about MFA spending this year, so we encourage your campus to complete the survey to see how your MFA spending compares to your peers. 

Please get in touch with me if you have any questions or feedback. The NET+ Duo Security program sponsored this survey, which is supported by campuses enrolling in the program. Please let us know if you would like to enroll in the program to support community activities like this. 

ICYMI

Internet2 Opportunities for the Research & Education Cybersecurity and Privacy Community