Steven Burke

1
Two Factor Authentication

• Steven Burke
• U.S. Department of Education
• 2012 Software Developers Webinar 3

2
Agenda

• Project Overview
• Postsecondary School Federal Financial Aid
  Eco-System
• Project Scope
• Project Phases and Deployment Status
• TFA Attestation Lifecycle
• TFA Attestation/Confirmation Process
• Registration Scenarios
• Frequently Asked Questions
• Additional Resources

3
Project Overview

• In 2010 an estimated 90,000 accounts were
  identified accessing FSA systems without a second
  factor authentication. FSA hosts at least 80
  million records - all currently unprotected in
  accordance with industry best practices and
  Office of Management and Budget (OMB) mandate
  M-07-16.
• The U.S. Department of Education is implementing
  a security protocol through which all authorized
  users will be required to enter two forms of
  authentication to access Federal Student Aid
  systems via the Internet.
• This process is referred to as Two Factor
  Authentication (TFA).

4
Postsecondary School Federal Financial Aid
Eco-System

• 6,400 unique institutions of higher education
• Over 3,000 financial partners
• Over 90K privileged accounts
• Over 70M unique identities
• Over 320M loans
• Over 96M grants
• Supporting students in 35 countries
• 1T loan book
• Over 13M students
• Over 30M aid awards
• Over 120B injected into the eco-system each year

• FSA
• Staff 1,300
• Contractors 10,000
• Services
• Aid Apps
• Grants
• Loan Origination
• Loan Servicing
• Debt Collection
• Compliance

5
Two Factor Authentication Scope

• Provide safe and secure access to FSA network
  services
• Primary systems impacted across the enterprise
• NSLDS, CPS, COD, AIMS, PM, FMS, and SAIG
• This project encompasses approximately 90K users
• FSA employees, Dept. of ED employees
• Partners
• Postsecondary School Destination Point
  Administrators (DPA)
• Guaranty Agencies
• Servicers, PCAs, NFPs
• Call Centers, Developers, Contractors, and
  Sub-Contractors
• TFA project is focused on privileged users
• A privileged user is anyone who can see more
  than just their own personal data

6
What is Two Factor Authentication?

• Something that you know is the First Factor
• 
  User ID and Password
• Something that you have is the Second Factor
  
  Token with a One Time Password
• The One Time Password (OTP) will be generated by
  a small electronic device, known as the TFA
  Token, that is in the physical possession of the
  user
• To generate the OTP, a user will press the
  power button on the front of the token
• A different OTP will be generated each time the
  button
• is pressed
• Alternative Methods of obtaining OTP without TFA
  Token
• A) Answer three Challenge Questions online
• B) Have the OTP sent to your Smart Phone

7
TFA Project Phases

• Phase 1 To ensure the successful deployment of
  two factor tokens for FSA
  Citrix users 1,300 completed 5/1/2011 Phase 2
  To ensure the successful deployment of two factor
  tokens for Department of
  Education Staff and FSA Contractors
  approximately 5,200 users and
  FSA Contractors completed 10/28/2011
• Phase 3 International users, Foreign Schools
  (FS) and Domestic Schools, when
  logging into FSA systems across 35 countries
  completed12/31/2011 Domestic
  users, to ensure the successful deployment of two
  factor tokens for users when
  logging into FSA systems 88,600 users
  by 12/31/2012Phase 4 Guaranty Agencies,
  TIVAS, Third Party Servicers, Not-for-Profits,
  Payment Collection Agencies (PCA),
  and VPN users connecting through
  Virtual Data Center (VDC)

8
TFA Deployment Status

• Total TFA Tokens Deployed 48,280 in the USA
  and 35 Countries
• Tokens Deployed to Phase III IV for Partners
  41,698
• Partner tokens registered 23,357
• Percent Registered 56
• System Update 90 Complete
• NSLDS moved behind AIMS, completed on 12/18/2011
• COD TFA enabled on 1/28/2012
• SAIG Enrollment TFA enabled 2/12/2012
• EDconnect TFA enabled 3/4/2012

9
TFA Attestation Lifecycle
10
TFA -Token Deployment Forecast As of
8/17/2012
Group State InitialEstimated Schools/Users Estimated Completion Lockout Date Revised Lockout Date Attestation Completed Group State InitialEstimated Schools/Users Estimated Completion Lockout Date Revised Lockout Date Attestation Completed
0   3/2011347 Schools 1,529 Users 10/30/2011 10/30/2011 10/30/2012347 Schools( 1,444 ) Users 6 AR 3/2011521 Schools 6,122 Users 8/3/2012 8/17/2012 8/17/2012 ( ) Schools( ) Users
0 FS 3/2011347 Schools 1,529 Users 10/30/2011 10/30/2011 10/30/2012347 Schools( 1,444 ) Users 6 CO 3/2011521 Schools 6,122 Users 8/3/2012 8/17/2012 8/17/2012 ( ) Schools( ) Users
0 DeVry 3/2011347 Schools 1,529 Users 10/30/2011 10/30/2011 10/30/2012347 Schools( 1,444 ) Users 6 GA 3/2011521 Schools 6,122 Users 8/3/2012 8/17/2012 8/17/2012 ( ) Schools( ) Users
0   3/2011347 Schools 1,529 Users 10/30/2011 10/30/2011 10/30/2012347 Schools( 1,444 ) Users 6 KS 3/2011521 Schools 6,122 Users 8/3/2012 8/17/2012 8/17/2012 ( ) Schools( ) Users
6 MO 3/2011521 Schools 6,122 Users 8/3/2012 8/17/2012 8/17/2012 ( ) Schools( ) Users
1 DC 3/2011323 Schools 2,622 Users 2/27/2012 6/8/2012 6/8/2012315 Schools( 2,913 ) Users
1 DE 3/2011323 Schools 2,622 Users 2/27/2012 6/8/2012 6/8/2012315 Schools( 2,913 ) Users 7 AZ 3/2011631 Schools 7,158 Users 9/7/2012 11/23/2012 As of 8/17/2012( ) Schools( ) Users
1 MD 3/2011323 Schools 2,622 Users 2/27/2012 6/8/2012 6/8/2012315 Schools( 2,913 ) Users 7 CT 3/2011631 Schools 7,158 Users 9/7/2012 11/23/2012 As of 8/17/2012( ) Schools( ) Users
1 VA 3/2011323 Schools 2,622 Users 2/27/2012 6/8/2012 6/8/2012315 Schools( 2,913 ) Users 7 IA 3/2011631 Schools 7,158 Users 9/7/2012 11/23/2012 As of 8/17/2012( ) Schools( ) Users
1 WV 3/2011323 Schools 2,622 Users 2/27/2012 6/8/2012 6/8/2012315 Schools( 2,913 ) Users 7 IL 3/2011631 Schools 7,158 Users 9/7/2012 11/23/2012 As of 8/17/2012( ) Schools( ) Users
7 IN 3/2011631 Schools 7,158 Users 9/7/2012 11/23/2012 As of 8/17/2012( ) Schools( ) Users
2 NC 3/2011742 Schools 5,154 Users 3/16/2012 6/8/2012 6/8/2012607 Schools( 4,791 ) Users 7 LA 3/2011631 Schools 7,158 Users 9/7/2012 11/23/2012 As of 8/17/2012( ) Schools( ) Users
2 NJ 3/2011742 Schools 5,154 Users 3/16/2012 6/8/2012 6/8/2012607 Schools( 4,791 ) Users
2 NY 3/2011742 Schools 5,154 Users 3/16/2012 6/8/2012 6/8/2012607 Schools( 4,791 ) Users 8 AL 3/2011502 Schools 3,362 Users 10/12/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
2 SC 3/2011742 Schools 5,154 Users 3/16/2012 6/8/2012 6/8/2012607 Schools( 4,791 ) Users 8 AS 3/2011502 Schools 3,362 Users 10/12/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
8 FC 3/2011502 Schools 3,362 Users 10/12/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
3 KY 3/2011866 Schools 6,615 Users 4/20/2012 7/20/2012 As of 8/17/2012( 788 ) Schools( 6,360 ) Users 8 FM 3/2011502 Schools 3,362 Users 10/12/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
3 MI 3/2011866 Schools 6,615 Users 4/20/2012 7/20/2012 As of 8/17/2012( 788 ) Schools( 6,360 ) Users 8 GU 3/2011502 Schools 3,362 Users 10/12/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
3 NE 3/2011866 Schools 6,615 Users 4/20/2012 7/20/2012 As of 8/17/2012( 788 ) Schools( 6,360 ) Users 8 HI 3/2011502 Schools 3,362 Users 10/12/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
3 NH 3/2011866 Schools 6,615 Users 4/20/2012 7/20/2012 As of 8/17/2012( 788 ) Schools( 6,360 ) Users 8 MA 3/2011502 Schools 3,362 Users 10/12/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
3 OH 3/2011866 Schools 6,615 Users 4/20/2012 7/20/2012 As of 8/17/2012( 788 ) Schools( 6,360 ) Users 8 ME 3/2011502 Schools 3,362 Users 10/12/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
3 PA 3/2011866 Schools 6,615 Users 4/20/2012 7/20/2012 As of 8/17/2012( 788 ) Schools( 6,360 ) Users 8 MH 3/2011502 Schools 3,362 Users 10/12/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
3 RI 3/2011866 Schools 6,615 Users 4/20/2012 7/20/2012 As of 8/17/2012( 788 ) Schools( 6,360 ) Users 8 MP 3/2011502 Schools 3,362 Users 10/12/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
3 VT 3/2011866 Schools 6,615 Users 4/20/2012 7/20/2012 As of 8/17/2012( 788 ) Schools( 6,360 ) Users 8 MS 3/2011502 Schools 3,362 Users 10/12/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
8 TN 3/2011502 Schools 3,362 Users 10/12/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
4   3/2011780 Schools 8,155 Users 5/25/2012 8/3/2012 As of 8/17/2012( 513 ) Schools( 5,524) Users
4 CA 3/2011780 Schools 8,155 Users 5/25/2012 8/3/2012 As of 8/17/2012( 513 ) Schools( 5,524) Users 9 MT 3/2011455 Schools 3,470 Users 11/16/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
4 FL 3/2011780 Schools 8,155 Users 5/25/2012 8/3/2012 As of 8/17/2012( 513 ) Schools( 5,524) Users 9 NM 3/2011455 Schools 3,470 Users 11/16/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
4   3/2011780 Schools 8,155 Users 5/25/2012 8/3/2012 As of 8/17/2012( 513 ) Schools( 5,524) Users 9 NV 3/2011455 Schools 3,470 Users 11/16/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
9 PR 3/2011455 Schools 3,470 Users 11/16/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
5 AK 3/2011643 Schools 5,740 Users 6/29/2012 8/17/2012 As of 8/17/2012( 469 ) Schools( 3,852 ) Users 9 PW 3/2011455 Schools 3,470 Users 11/16/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
5 ID 3/2011643 Schools 5,740 Users 6/29/2012 8/17/2012 As of 8/17/2012( 469 ) Schools( 3,852 ) Users 9 UT 3/2011455 Schools 3,470 Users 11/16/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
5 MN 3/2011643 Schools 5,740 Users 6/29/2012 8/17/2012 As of 8/17/2012( 469 ) Schools( 3,852 ) Users 9 WA 3/2011455 Schools 3,470 Users 11/16/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
5 ND 3/2011643 Schools 5,740 Users 6/29/2012 8/17/2012 As of 8/17/2012( 469 ) Schools( 3,852 ) Users 9 WI 3/2011455 Schools 3,470 Users 11/16/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
5 OR 3/2011643 Schools 5,740 Users 6/29/2012 8/17/2012 As of 8/17/2012( 469 ) Schools( 3,852 ) Users 9 WY 3/2011455 Schools 3,470 Users 11/16/2012 11/23/2012 8/17/2012 ( ) Schools( ) Users
5 SD 3/2011643 Schools 5,740 Users 6/29/2012 8/17/2012 As of 8/17/2012( 469 ) Schools( 3,852 ) Users
5 TX 3/2011643 Schools 5,740 Users 6/29/2012 8/17/2012 As of 8/17/2012( 469 ) Schools( 3,852 ) Users
11
Attestation/Confirmation Process

• For each school, the Primary Destination Point
  Administrator (PDPA) and the COD Security
  Administrator need to work together to ensure all
  users have been identified and receive tokens
• Step 1 Confirmation/Attestation
• Confirm/Attest to the individuals (unique users)
  at your school who are authorized users of one or
  more of the identified Federal Student Aid
  systems. This confirmation will only be used to
  determine the TOTAL NUMBER of tokens you will
  receive
• Identify any Third Party Servicer(s) supporting
  your school
• Confirm the physical street address to which
  tokens should be shipped, and provide a telephone
  number where we can contact you    
• NOTE We cannot ship to PO Boxes

12
Attestation/Confirmation Process

• Step 2 Federal Student Aid Ships Tokens to
  School
• The tokens will be sent to the attention of the
  PDPA via UPS
• Step 3 Token Receipt, Distribution, and
  Registration
• After the tokens are shipped, FSA will send an
  e-mail with more information about token
  distribution and registration
• The tokens are to be registered within 7 days of
  receipt

13
Attestation/Confirmation Process

• To expedite the attestation/confirmation process
• Click reply to respond to the attestation email
  message
• (Please do not change the
  subject line.)
• Example Subject Line
• GR6 - AR - University Of Central Arkansas -
  00109200 - Attestation Required
• Complete the TFA Attestation form embedded in
  the attestation email

14
Attestation/Confirmation Process
15
How do I register my token?

• Once you receive your token you must register it
  once for the systems behind PM (NSLDS, CPS and
  SAIG/EDconnect) and once for each COD account.
• Each FSA System website will be slightly
  different when logging in and registering your
  token

• Next Steps
• Click on the following link
• https//fafsa.ed.gov/FOTWWebApp/faa/faa.jsp
• Then click on the Register/Maintain token URL on
  the top right hand side of the screen.

16
TFA Registration Scenarios
TFA Registration Scenario 1 John has access
to NSLDS, CPS and SAIG. He will need to register
his token only once.
Participation Management (PM)
COD NSLDS, CPS FFA, SAIG
John Doe FSA user ID John.Doe.FSA Token S/N
AVT 886123456
N/A  
TFA Registration Scenario 2 John has access
to NSLDS, CPS and SAIG and has (1) COD user ID.
He will need to register his token (2) times.
Participation Management (PM)
COD NSLDS, CPS FFA, SAIG
John Doe FSA user ID John.Doe.FSA Token S/N
AVT 886123456
John Doe COD user ID JDOE01Token S/N AVT
886123456
17
TFA Registration Scenarios
TFA Registration Scenario 3 John has access to
NSLDS, CPS and SAIG and has (3) COD user IDs. He
will need to register his token (4) times.
Participation Management (PM)
COD NSLDS, CPS FFA, SAIG
John Doe COD user ID JDOE01 COD user ID
JDOE02 COD user ID JDOE03 Token S/N AVT
886123456
John Doe FSA user ID John.Doe.FSA Token S/N
AVT 886123456  
TFA Registration Scenario 4 John has access to
COD and has (1) COD user ID. He will need to
register his token only once.
Participation Management (PM)
COD NSLDS, CPS FFA, SAIG
John Doe COD user ID JDOE01Token S/N AVT
886123456
N/A  
18
TFA Registration Scenarios
TFA Registration Scenario 5 John has access to
COD and has (3) COD user IDs. He will need to
register his token (3) times.
Participation Management (PM)
COD NSLDS, CPS FFA, SAIG
John Doe COD user ID JDOE01 COD user ID
JDOE02 COD user ID JDOE03 Token S/N AVT
886123456
N/A  
19
TFA Frequently Asked Questions

• Will I be locked out of FSA systems if I dont
  have a token?
• Once your school has been TFA enabled (locked)
  a token will be required to access FSA
  systems
• I received more tokens than I have authorized
  users. What do I do with the extra tokens?
• Each token shipment will include at least one
  (1) extra TFA token, for use as a replacement
  for a lost or broken token, or for issue to a new
  authorized user
• I need more tokens. How do I get them?
• For additional tokens please send an e-mail to
  TFA_Communications_at_ed.gov We can only send
  tokens to the Primary DPA
• Do I need to provide tokens to my Third Party
  Servicer?
• No, however please indicate the name and point of
  contact if you have engaged a Third Party
  Servicer

20
Support Contacts
Two Factor Authentication Questions For general
questions about TFA E-mail TFA_Communications_at_ed.
gov

• Central Processing System Financial Aid
  Administrators (CPS-FAA) Student Aid Internet
  Gateway (SAIG)
• Phone 1-800-330-5947 / TTY 1-800-511-5806
• E-mail CPSSAIG_at_ed.gov
• Website FAA Access CPS Online (https//faaaccess
  .ed.gov/FOTWWebApp/faa/faa.jsp)
•  
• National Student Loan Data System (NSLDS)
• Phone 1-800-999-8219
• E-mail nslds_at_ed.gov
• Common Origination and Disbursement (COD)
• Phone COD School Relations Center
  1-800-474-7268(for Grants)
• Phone COD Direct Loans 1-800-848-0978
• E-mail CODSupport_at_acs-inc.com
•   

 Employee Enterprise Business Collaboration
(EEBC) Support Hours Monday-Friday, 8 AM 5
PM Phone 1-866-441-6633 E-mail
eebcservicerequest_at_ed.gov eCampus-Based (eCB)
Support Hours Monday-Friday, 8 AM 8 PM Phone
1-877-801-7168 E-mail cbfob_at_ed.gov E-mail
secarch_at_ed.gov Website The eCampus-Based System
(https//cbfisap.ed.gov/ecb/CBSWebApp/welcome.jsp)
  
21
Contact Information
We appreciate your feedback and comments. Please
contact Leslie A. Willoughby Phone (202)
377- 3896 Email Leslie.Willoughby_at_ed.gov