Universities may have trouble with their cyber security strategy. Unfortunately, this issue leads to diminishing student experience, increased chance of a third-party cyberattack and costs the university team a lot of money.
We attended the EDUCAUSE Cyber Professionals Conference, speaking to many universities about their approach to Identity and Access Management (IAM) and discovered that many of them were lacking the foundational understanding that's needed to implement a proper strategy.
These universities still have IAM challenges and continue to be confused around the topic of IAM and defining the cyber defense level that cyber security vendors are expected to meet. While there are some that are integrating security throughout their campus properly, others are just getting started.
If universities integrated biometrics, they could expand their IAM strategy and experience a lower cost and easy-to-use authentication method for their students, faculty, and staff.
BIO-key at EDUCAUSE 2022
Our VP of Product, Kimberly Biddings, attended the EDUCAUSE Cyber Professionals 2022 conference to connect with higher education security professionals. Throughout the event, she and IT staff from universities discussed information security, cybersecurity education, and privacy trends that the higher education industry is experiencing, as well as reviewing their existing IAM strategy.
She pointed out that many educational institutions are using a mix of MFA methods, leaning toward phone-based methods and hardware tokens. As a result, she introduced Identity-Bound Biometrics: an authentication method that verifies the user taking actions. Later, she explained how the approach tightens cybersecurity around students, faculty, and staff and reduces the potential threat of cyber threats.
How Universities Are Approaching IAM
Hearing how colleges and universities tackle IAM was eye-opening. Big or small, they all have IAM challenges - but there was a consistent, core issue across many of the attendees we spoke with: the lack of a cohesive IAM strategy. After meeting with a number of IT professionals, we discovered that IAM approaches were highly varied.
Traditionally, universities will test a free trial of a product and then migrate to a more commercial solution, like Duo Security, which enables phone-based authentication methods. These phone methods work for plenty of students and faculty as they always have their phone, but there is a significant portion of faculty and staff that prefer not to use their phones or are not able to.
This is where universities start using hardware tokens and begin looking for a company that provides them as an authentication method. This means they are using two different methods from two different organizations, which is unnecessarily costly and complex.
As a result, universities should find a vendor that hosts plenty of methods under one system. Not only does this avoid high cost and complexity but also makes the digital experience (and cybersecurity training) for students, faculty, and staff simpler.
Do universities need hardware tokens?
Yes. There is a time and place for hardware tokens. They have become the best go-to solution for universities. Hardware tokens work for all users, even for those that do have a phone, and are a better replacement for phone-based methods. However, hardware tokens come at a higher cost. If a user loses a hardware token, it takes time and money to reset the user's lost hardware token and ship them a new one.
How Do Universities Know Which Vendor to Buy from?
Universities use the HECVAT (Higher Education Community Vendor Assessment Tool) to evaluate the risk level of implementing various security vendors' cyber solutions and ultimately determine if the vendor can match any potential cyber threat.
The HECVAT specifically measures the vendor's cybersecurity policies that they set in place and verifies if the policies protect sensitive and personal information.
Compliances Universities Must Fulfill
One shocking fact we learned from universities is that they must be compliant with different verticals which may be challenging because they need to meet all the requirements from different acts.
This includes the HIPAA (Health Insurance Portability and Accountability Act), PCI-DSS (Payment Card Industry Data Security Standard), and the new Federal Safeguard Rule, which requires multi-factor authentication for all accounts containing personal information. In short, universities have to implements it for all students. Moreover, these compliance requirements are on top of their existing education-based compliance requirements they also have to fulfill.
Multi-vendor Approach Causes Cyber Security Problems
Many universities are having issues with multi-factor authentication. They approach MFA by using multiple different vendors and consolidating all their solutions under a single environment. We discussed this with many universities and how consolidating and aggregating different methods under an environment is an issue.
Some solutions may not work well with others, and the system is not as effective as having a single vendor that can host many different authentication methods. This issue tends to happen in larger universities as they purchase more commercial and robust solutions that cannot be changed or merged with other solutions.
Having a lot of solutions from multiple vendors can increase the chance of experiencing a cyber attack, such as those from third parties. 60% of cyber threats occurring at education institutions are data breaches largely caused by third-party vendors. Also, disparate solutions can disrupt the digital experience for your students, which, in turn, affects enrollment rates. 87% of students say that a school's tech savviness is an important factor in their decision to enroll.
The Reaction to Biometrics
The higher education sector continues to have a growing interest in biometrics for authentication. After talking to many universities, it became clear that most of them would benefit from using biometric authentication - especially for end users who would be able to avoid password fatigue or needing to memorize complicated ones. Compared to methods that rely on "what you have" and "what you know", biometrics is the far more secure method, establishing trust that is rooted in a person's biometric identity.
Unfortunately, biometrics is confusing to many educational institutions - and understandably so. Grasping the implications around privacy and overall technological impact requires a deep knowledge of biometric authentication. Universities often misinterpret biometric authentication as a surveillance technique rather than what it really is: a method to accurately identify approved users and verify their login. This confusion causes many universities to avoid the conversation of biometric authentication altogether.
Because of this, many universities are not ready to deploy biometrics institution-wide. However, we discussed deployment on a smaller scale, specifically implementing them in research labs or research areas. In addition to safeguarding highly confidential resources, this smaller scale deployment allows education institutions to test a biometric approach in a more controlled environment. Biometrics are still new to many colleges and universities. This specific use case is a promising first step to take.
Next Step for Universities and MFA
As universities return to varying versions of normalcy, IT staffs will need to upgrade their solutions and revise their IAM strategy to improve the digital experience and keep them compliant across multiple verticals.
Biometrics is a low cost, easy-to-use and secure method of authentication - and even though there is still some confusion and misinterpretation, it was encouraging to learn at EDUCAUSE 2022 that many colleges and universities are open to exploring it.
Is your college or university ready to learn about biometrics as an MFA solution? Browse our Higher Education eBook to learn more about implementing the right IAM strategy for your environment.