MultiFactor Authentication Overview

What is MFA?

Multi Factor authentication (MFA) is a security process that requires users to verify their identity using two or more different methods. This usually includes something they know, something they have, or something they are. MFA adds an extra layer of protection, enhancing security by going beyond simple username and password combinations.

Google's two-factor authentication (2FA) is considered Multi-Factor Authentication because 2FA is a form of MFA where you provide two factors to verify your identity, and MFA simply means using multiple factors.

Why is the college implementing MFA?

In 2020 the Strategic Technology Advisory Committee of the Washington State Community and Technical College (WACTC) system published an issue brief approved by all WACTC presidents. The brief notified the colleges about the need for, and upcoming shift to, MFA for ctcLink accounts.

The college implemented MFA for ctcLink in February 2023 for employees and in April 2023 for students. We will implement MFA for employee Google accounts in Spring Quarter 2025.

Compliance

Edmonds College must comply with several laws requiring MFA, including:

• Family Educational Rights and Privacy Act (FERPA)
• Federal Information Security Management Act (FISMA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Gramm-Leach-Bliley Act (GLBA)
• Executive Order 14028: Executive Order on Improving the Nation’s Cybersecurity

Benefits of MFA

On top of complying with regulatory requirements, we are also implementing MFA to provide enhanced security against cyber attacks and protection against breaches and phishing.

People using MFA are 90% less likely to get hacked!

How to use MFA

• Common MFA/2FA Methods for Google accounts
  • SMS verification codes
  • Time-based one-time Passwords (TOTP)
  • Biometric authentication
  • Hardware tokens or security keys
  • Push notifications
• Instructions Turn on 2-Step Verification
• Check out MFA/2FA Comparison of Google’s Authentication Methods for details on each authentication option.

---

MFA Examples in Everyday Use

Most people interact with MFA every day without knowing it. For example

Online Banking When accessing your online banking account, you typically need to provide:

1. Your username and password (something you know)

2. A one-time code sent via SMS or generated by a mobile app (something you have)

This two-factor authentication process helps protect your sensitive financial information.

Smartphone Access Many smartphones now use multiple factors for authentication:

1. PIN or password (something you know)

2. Fingerprint scan or facial recognition (something you are)

This combination provides convenient yet secure access to your device.

Email Account Login Major email providers often implement MFA:

1. Username and password (something you know)

2. Verification code sent to a secondary email or phone number (something you have)

ATM Transactions Using an ATM is a classic example of two-factor authentication:

1. Your debit card (something you have)

2. Your PIN (something you know)

Social Media Accounts Many social media platforms offer MFA options:

1. Username and password (something you know)

2. Approval via a push notification on your mobile device (something you have)

Corporate Network Access For employees accessing company networks remotely:

1. Username and password (something you know)

2. Hardware token or smart card (something you have)

3. Sometimes biometric verification (something you are)

Government Services When accessing government services online, such as the IRS website:

1. Username and password (something you know)

2. Verification code sent via SMS or email (something you have)

E-commerce Websites Some online shopping platforms use MFA for account security:

1. Username and password (something you know)

2. Verification code sent to your mobile device (something you have)

Workplace Applications Companies implement MFA to secure access to sensitive data and systems, ensuring that only authorized employees can log in.

Mobile Apps Many apps, especially those related to finance or health, use MFA to protect user data by requiring multiple forms of authentication during login.

Laws Requiring Training, Phishing Simulation, and MFA

Federal

Federal Information Security Management Act (FISMA)

FISMA requires ongoing security awareness training for all employees and contractors who have access to federal information systems (i.e. Social Security Administration, Department of Education).

Family Educational Rights and Privacy Act (FERPA)

FERPA requires continual training, security awareness, and vigilance to ensure that staff comply with FERPA requirements, the institution avoids penalties, and prevents the potential loss of reputation caused by security errors with education records.

Interpretation of FERPA Guidelines - The U.S. Department of Education has provided guidance that effectively recommends MFA:

• Single-factor authentication may not be sufficient for protecting highly sensitive information
• The use of "multiple authentication factors of different types" is strongly recommended
• Organizations are referred to NIST 800-63 for guidance, which recommends strong passwords and out-of-band MFA

Health Insurance Portability and Accountability Act (HIPAA)

For institutions that handle protected health information, HIPAA requires the implementation of security awareness and training programs for all workforce members. This includes training on how to protect sensitive health information from unauthorized access. Applies to higher ed institutions that are HIPAA covered entities or business associates handling protected health information (PHI).

MFA is implemented to comply with HIPAA cybersecurity requirements including:

• Enhanced Access Control
• Reduced Risk of Unauthorized Access
• Improved Audit Trails
• Demonstration of Due Diligence

Gramm-Leach-Bliley Act (GLBA)

The U.S. Department of Education has determined that Title IV schools (those participating in federal student aid programs) are considered financial institutions subject to GLBA requirements to protect student information. This means institutions must comply with GLBA safeguards to maintain their ability to participate in federal student aid programs.

GLBA requires financial institutions, which includes higher education institutions, to provide training on safeguarding customer information. The act also requires employee training at organizations subject to GLBA, such as financial aid offices at universities. Interagency guidance recommends training staff to recognize and respond to identity theft schemes, guard against pretext calling, and properly dispose of customer information.

GLBA requires institutions to 1) store sensitive customer information securely, 2) ensure secure transmission of data, and 3) prevent unauthorized access and improper disclosure. Many institutions implement MFA as a way to comply with these GLBA requirements, as it adds an additional layer of security beyond just passwords.

National Institute of Standards and Technology (NIST) Special Publication 800-50

NIST Special Publication 800-50 outlines the requirements for establishing an effective IT security awareness and training program. It emphasizes the need for all employees to understand their roles related to information security and to receive regular training.

Payment Card Industry Data Security Standard (PCI DSS)

Institutions that process credit card transactions must comply with PCI DSS, which requires security awareness training for all personnel who have access to cardholder data. This training aims to ensure that employees are aware of security policies and procedures to protect sensitive payment information.

DSHS Data Security Requirements

Anyone with access to DSHS confidential data is required to take IT Security Awareness training.

Executive Order 14028: Executive Order on Improving the Nation’s Cybersecurity

Executive Order 14028 instructs federal agencies to modernize technology, adopt zero trust security principles, and improve public/private partnerships. This has a trickle-down effect on higher education institutions, especially those receiving federal funding or working with federal agencies.

Washington State

WaTech IT Security and Privacy Awareness Training Policy (SEC-03)

RCW 43.105 Washington Technology Solutions

Executive Order 16-01 on Improving the Security of Network Systems

Other

Liability Insurance System Security Standard

Cybersecurity insurance providers require institutions to have many security measures implemented in order to obtain coverage. Some of the minimum requirements include:

• Regular simulated phishing exercises for all users
• Cybersecurity awareness training for all users
• MFA 100% implemented for remote access and privileged user accounts.
• MFA implemented for access to email

Related Links

• What is MFA?
• Why is the college implementing MFA?
• Benefits of MFA
• How to use MFA
• Helpful MFA Communications at Edmonds
• MFA Examples in Everyday Use
• Laws Requiring Training, Phishing Simulation, and MFA

Related Articles

MFA/2FA Comparison of Google’s Two-Factor Authentication Options

Hardware Keys for MFA/2FA

ctcLink - Multi-Factor Authentication (MFA)