"This solution from SURF allows us to turn the option for MFA on and off for each service, which gives a lot of freedom."
"MFA is essential”
At both institutions, the need to secure services properly is strongly felt. "MFA is essential for institutions," says Van Loo (HZ University of Applied Sciences). "It is increasingly common for accounts to be hacked or taken down, as at Maastricht University for example. Accounts are of course secured by the username and password, but we see that the average user loosely handles this, for example by always using the same password. MFA makes accounts a lot safer."
MFA for services behind SURFconext can be turned on or off per service
Both institutions have their own MFA solution that is integrated in their own identity provider. In Zeeland this is Azure MFA, while Utrecht works with Micro Focus NetIQ. "We had already implemented our own solution a number of years ago, which enabled us to secure a large number of services," says Van Bokhoven (Utrecht University). "Until recently, it was not possible to secure SURFconext services in the same way. We wanted to make those services accessible too, but we didn't want to saddle users with a new MFA method. SURF's solution allows us to turn the option for MFA on and off for each service, which gives us a lot of freedom. When we saw that, we thought: we're going to use it.
Advantage of linking own MFA : not saddling users with an extra MFA method
What is the advantage of the MFA solution that the two institutions have now chosen? "We want to always offer the users the same solution for MFA," Scheeren (UU) says. "With this solution, it is no different for the users from when they access an internal UU service."
Apps and tokens as a second factor
Depending on the identity provider, the MFA solution can be implemented in different ways. In Utrecht, users can choose between the NetIQ app (recommended), another app such as Google Authenticator and a hardware token, the YubiKey (a USB stick). "Until recently, we also worked with SMS," adds Scheeren, "but we stopped doing that because of the costs." In Zeeland, too, most users get their authentication via an app; in addition, a hardware token is available, in this case a key ring that generates a code (`TOTP'). "It was a precondition for us that hardware token could be used for devices without USB input," says Van Loo. "This meant that SURFsecureID - SURF's MFA solution - was dropped as a possible MFA solution, because at that time, the hardware tokens it supported were all USB-based."
Implementation went smoothly
Both parties found that implementing the MFA link with SURFconext went very smoothly. "SURF has a wiki with information about this solution that is very clear, and we've also been in contact with SURF's technical team," says Van Bokhoven. "We did do a pilot, but actually it was clear with a few emails back and forth. It worked pretty quickly as it was supposed to." Van Loo also experienced few technical problems: "We first implemented Azure MFA in a pilot, separate from SURFconext. At some point we had that running, and then SURF offered to add the MFA application to the SURFconext link. All we have to do is indicate to SURF which services we want to apply MFA for, and they'll turn it on."
"All we have to do is indicate to SURF for which services behind SURFconext we want to apply MFA, and then they turn it on."
Number of services with MFA increasing
The number of services for which MFA is applied is steadily increasing at both institutions. "We now use the MFA solution for about six or seven services, for example access to research publications via SURFconext," says Scheeren. In the beginning, users were a little apprehensive, but that's over. Many teachers and researchers who want to use a service already come up with a request for MFA, so we don't have to push them anymore. Van Loo also has good experiences: "We started with financial services and we have gradually expanded the portfolio, for example with Osiris for our education administration. We are now working on Office 365 for the staff; students can optionally use MFA. Ultimately, you want to move towards a situation where as many services as possible are secured with MFA."
Both institutions indicate that it is very easy to turn a service on or off: "An email to SURF is sufficient, then it is arranged within a day," says Van Bokhoven. "The option is not yet in the SURF dashboard, but we understand that this is planned."
Users are positive
So far, the experiences in both Zeeland and Utrecht have been positive. "The inconvenience for users is limited," says Van Loo. "Once you have logged in to a service that requires MFA and you then log in to another service, you do not have to enter a second factor again. We see very little resistance, the experiences in the organisation are very positive. All the reports in the media about hacking and ransomware have also contributed to this."
Van Bokhoven has also heard little criticism: "In terms of MFA, there is no difference between the services we offer via SURFconext and our other applications. The user experience is exactly the same."
"With this solution where you use your own MFA solution for services connected to SURFconext, it is no different for the users than if they were accessing an internal service."
Tips for institutions that have not yet implemented MFA
Finally, the interviewees have a tip for institutions that have not yet implemented MFA and want to take the step. Van Loo stresses the need for a pilot: "Start step-by-step, implement MFA via an DTAP (Develop, Test, Accept) environment. Van Bokhoven adds a very practical tip: "Contact SURF and see what the possibilities are. That can save you a lot of time."
Besides setting up MFA for services connected to SURFconext, whereby institutions can link up their own MFA solution, SURF also offers MFA as a service: SURFsecureID. As well as relieving you of the burden of all the infrastructure involved in using and administering tokens, an important advantage of this MFA solution is the higher level of reliability: SURFsecureID checks the identity of the user and the extra factor selected before the user is granted access to the service.