1. Two Factor Authentication & PII Security Updates
June 20th, 2012
Steven Burke

2. This process is referred to as Two Factor Authentication (TFA).
Two-Factor Authentication – Overview
To comply with the White House through the United States Office of Management and Budget (OMB) mandate, Memorandum M07-16 attachment 1, and as part of our ongoing efforts to ensure the security of Federal Student Aid data systems, the U.S. Department of Education, is required to implement a security protocol through which all authorized users will enter two forms of “authentication” to access Federal Student Aid systems via the Internet.
This process is referred to as Two Factor Authentication (TFA).

3. Two-Factor Authentication
Scope:
Provide safe and secure access to FSA network services
Primary systems impacted across the enterprise
NLSDS, CPS, COD, AIMS, PM, FMS and SAIG
This project encompasses approximately 96K users
FSA employees, Dept. of ED employees
Partners
Postsecondary Schools Destination Point Administrators (DPA)
Guaranty Agencies
Servicers/PCA’s/NFPs
Call Centers
Developers/Contractors and Sub-Contractors
TFA project is focused on privileged users
A privileged user is anyone who can see more than just their own personal data

4. What is Two-Factor Authentication?
Something that you know is the First Factor:
User ID and Password
Something that you have is the Second Factor: Token with a One Time Password
The One Time Password (OTP) will be generated by a small electronic device, known as the TFA Token, that is in the physical possession of the user
To generate the OTP, a user will press the
“power” button on the front of the token
A different OTP will be generated each time the
button is pressed
Alternative Methods of obtaining OTP without TFA Token:
A) Answer 3 Challenge Questions online
B) Have the OTP sent to your Smart Phone

5. Two - Factor Authentication
Key Deliverables:
Phase 1 To ensure the successful deployment of two-factor tokens for FSA – Citrix users 1,300 completed 5/1/2011
Phase 2 To ensure the successful deployment of two-factor tokens for Dept. of ED Staff, approximately 5,200 users. As of 7/1/2011, FSA Contractors have been added for TFA. In production as of 10/28/2011
Phase 3 International users, Foreign Schools (FS) and Domestic Schools, when logging into FSA systems across 35 countries completed12/31/ Domestic users, to ensure the successful deployment of two-factor tokens for users when logging into FSA systems: 88,600 users by12/31/2012
Phase 4 Guaranty Agencies, TIVAS, Third Party Servicers, Not-for-Profits, Payment Collection Agencies (PCA), and VPN users connecting through VDC

6. Two - Factor Authentication
Project Status
Total TFA Tokens Deployed: 32,176 to 35 Countries
Tokens Deployed to Phase III & IV for Partners: 25,594
System Update: % Complete
NSLDS moved behind AIMS, completed on 12/18/11
COD TFA enabled on 1/28/12
SAIG Enrollment TFA enabled 2/12/12
EDconnect TFA enabled 3/4/12

7. TFA -Token Deployment Forecast As of 6/20/2012
Group
State
Initial Estimated Schools/Users
Estimated Completion Lockout Date
Revised
Lockout
Date
Completed
Number of Confirmed users Registered (6/8/2012 )
Estimated Completion Lockout
3/ Schools 1,529 Users
10/30/2011
10/30/ Schools ( 1,444 ) Users
1,685 6 AR
3/ Schools 6, Users
8/3/2012
6/7/2012 ( ) Schools ( ) Users FS CO
DeVry GA KS MO 1 DC
3/ Schools 2, Users
2/27/2012
6/8/2012
6/8/ Schools ( 3,010 ) Users
1,546 DE 7 AZ
3/ Schools 7,158 Users
9/7/2012
As of 6/7/2012 ( ) Schools ( ) Users MD CT VA IA WV IL IN 2 NC
3/ Schools 5,154 Users
3/16/2012
6/8/ Schools ( 4,700 ) Users
2,416 LA NJ NY 8 AL
3/ Schools 3, Users
10/12/2012 SC AS FC 3 KY
3/ Schools 6,615 Users
4/20/2012
6/22/2012
As of 6/8/2012 ( 310 ) Schools ( 1,820 ) Users FM MI GU NE HI NH MA OH ME PA MH RI MP VT MS TN 4
3/ Schools 8,155 Users
5/25/2012
7/6/2012
As of 6/7/2012 ( 313 ) Schools ( 513 ) Users CA 9 MT
3/ Schools 3, Users
11/16/2012 FL NM NV PR 5 AK
3/ Schools 5,740 Users
6/29/2012
As of 6/7/2012 ( ) Schools ( ) Users PW ID UT MN WA ND WI OR WY SD TX

8. Two-Factor Authentication - Attestation/Confirmation Process
Action Items:
For each school, the PDPA and COD Security Administrator need to work together to ensure all users have been identified and receive tokens.
Step 1: Confirmation/Attestation
Confirm/Attest to the individuals (unique users) at your school who are authorized users of one or more of the identified Federal Student Aid systems. This confirmation will only be used to determine the TOTAL NUMBER of tokens you will receive.
Identify any Third Party Servicer(s) supporting your school.
Confirm the physical street address to which tokens should be shipped, and provide a telephone number where we can contact you.    NOTE: We cannot ship to PO Boxes.
Step 2: Federal Student Aid Ships Tokens to School
The tokens will be sent to the attention of the PDPA via UPS
Step 3: Token Receipt, Distribution, and Registration
After the tokens are shipped, FSA will send a follow-on with more information about token distribution and registration.
The tokens are to be registered within 7 days of receipt.

9. Two - Authentication - Frequently Asked Questions
Will I be locked out of FSA systems if I don’t have a token?
Once your school has been TFA enabled (locked) a token will be required to access FSA systems. The TFA Deployment Schedule identifies the scheduled lock dates by state.
Tokens are distributed through the Primary Destination Point Administrator (PDPA) at each institution. If you have not received your token please contact your PDPA.
I received more tokens than I have authorized users. What do I do with the extra tokens?
Each token shipment will include at least one (1) extra TFA token, for use as a replacement for a lost or broken token, or for issue to a new authorized user. The PDPA should secure and safeguard the extra tokens for use in these situations.
I need more tokens. How do I get them?
For additional tokens please send an to with the following information: (We can only send tokens to the Primary DPA.)
• School Name and OPEID
• Full Name and FSA User ID of the additional users
• The name of the PDPA and the physical address where the tokens are to be shipped   

10. Two - Factor Authentication - Frequently Asked Questions
Do I need to provide tokens to my third party servicer?
No, However please indicate the name and point of contact if you use a Third Party Servicer.
Do I need a token to use EDconnect 8.1? I need to install and use EDconnect 8.1, but I don’t have my token yet.
A TFA token is not required to use the EDconnect software until your school has been TFA enabled (locked).
If you are an EDconnect /SAIG user and have not already done so, you will need to download and install version 8.1 of the EDconnect software.
On Sunday, June 24, 2012 EDconnect 8.1 will be required to access EDconnect/SAIG. All previous versions of EDconnect will be disabled. (See SAIG Upgrade - System and Software Product Enhancements Available March 5, 2012 (Updated March 15, 2012))
On the EDconnect login screen, enter your TG number, including the letters “TG” (example: TG12345). In the Security Code field, enter the 6-digit code displayed on your TFA token, if you have one.   

11. TFA Questions : For general questions about TFA
Support Contacts for External Customers (Postsecondary Schools and Financial Partners)
Employee Enterprise Business Collaboration (EEBC)
Support Hours: Monday-Friday, 8 AM – 5 PM
Phone:
eCampus-Based (eCB)
Support Hours: Monday-Friday, 8 AM – 8 PM
Phone:
Website: The eCampus-Based System (
  electronic Cohort Default Rate Appeals (eCDR Appeals)
Mainly from the request from FSA SSO Donna Bellflower
Website: eCDR Appeals System (
Central Processing System – Financial Aid Administrators (CPS-FAA) Student Aid Internet Gateway (SAIG) Phone: / TTY Website: FAA Access CPS Online ( National Student Loan Data System (NSLDS) Phone: Website: Common Origination and Disbursement (COD) Phone: COD School Relations Center (for Grants) Phone: COD Direct Loans
TFA Questions : For general questions about TFA