Two Factor Authentication (TFA) Has It On Lock DownThe information age is upon us, and with new technologies there are ever increasing amounts ofdata being collected and stored across the cyber community. This data must be protected toensure program integrity and safeguard taxpayers’ interests.The postsecondary school ecosystem has grown significantly over the past few years withmultiple touch points to enable the delivery of Title IV Aid and to accommodate the needs of thestudents Federal Student Aid (FSA) and our schools serve. In 2007 FSA distributed $80 billionin financial aid to approximately 8 million borrowers. FSA distributed more than $135 billion inFederal Aid this past year to 14 million students and families. Since 2007, the number ofborrowers has grown from 8 million to 23 million borrowers in 2010/2011. These figures areexpected to grow to the tune of about 10% over the next five years.FSA hosts at least 80 million records - all currently unprotected in accordance with industry bestpractices and Office of Management and Budget (OMB) / Department of Homeland (DHS)mandates. At a high level, the FSA ecosystem consists of more than 90,000 users accessing thefollowing primary FSA systems: National Student Loan Data System (NSLDS), CentralProcessing System (CPS), Common Origination and Disbursement (COD), Access and IdentityManagement System (AIMS), Participation Management (PM), Financial Management System(FMS), and Student Aid Internet Gateway (SAIG).The FSA ecosystem has over 10,000 unique entities including over 6,500 postsecondary schoolsin 35 countries that interface directly with FSA. This population is supported by 3,200 financialpartners including Guaranty Agencies, Title IV Additional Servicers (TIVAs) and other financialinstitutions.The U.S. continues to be the top country targeted in web-based attacks and the governmentsector is the most popular target. The type of information FSA hosts is often the target of hackersand may be accessed through malicious software such as keyloggers. Keyloggers can be devicesor software used by cybercriminals to covertly capture and record key strokes on a computer.Their target is often log-in names, passwords, and other sensitive information that can be sold forillegitimate purposes.The cost of a data breach is based upon the data captured. According to industry experts, the costof a customer record compromised in a data breach is $200-$2141. Compromised records1 The Ponemon Institute 2010 U.S. Cost of a Data Breachhttp://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon&om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_costofdatabreach
containing bank account information are in the range of $300-$350. With this dynamicenvironment, there is a need to improve the overall security posture of the ecosystem. Withoutfortifying the infrastructure, existing leak points across FSA systems could be compromised,exposing FSA to appreciably large financial burdens.Protecting data is a shared responsibility of those facilitating the support of Title IV Aid financialaid across the postsecondary school ecosystem. One of the many activities FSA is undertakingto improve data security is the implementation of Two Factor Authentication (TFA). Theobjective of the TFA initiative is to provide safe and secure access to FSA network services.To comply with the White House through the United States Office of Management and Budget(OMB) mandate, Memorandum M07-16 attachment 1, and as part of our ongoing efforts toensure the security of Federal Student Aid data systems, the U.S. Department of Education isrequired to implement a security protocol through which all authorized users will enter twoforms of “authentication” to access Federal Student Aid systems via the Internet. This process isreferred to as Two Factor Authentication (TFA). The implementation of Two FactorAuthentication significantly reduces exposure to key loggers at both managed and unmanagedendpoints of the network.Authentication is where you prove your identity to a system in order to gain access. When twoindependent things are combined, strong authentication can be achieved and access is granted.Providing only one piece of information will not allow access to the system.In essence, two factor authentication means providing two independent pieces of evidence thatyou are who you say you are. Something that you know is the first factor. The second factor issomething that you have. Two factor authentication can also be achieved with something youare, using biometrics such as a retina scan or fingerprint.If you have ever used an ATM Card issued by a bank, you have used the two factorauthentication process.Something that you know is the First Factor: Your PIN numberSomething that you have is the Second Factor: The physical ATM CardFSA has chosen a physical “key fob” token that generates a One Time Password (OTP) for thesecond factor authentication.Something that you know is the First Factor: User ID and PasswordSomething that you have is the Second Factor: Token with a One TimePassword (OTP)The One Time Password (OTP) is a six digit numeric code generated by the token. To generatethe OTP, the user presses the button on the front of the token. A different OTP will be generatedeach time the button is pressed and display for 30 seconds. When the number displayed isentered along with the User ID and Password access will be granted for the user.There are many people working in concert across the ecosystem to deliver financial aid. TheTFA initiative encompasses approximately 96,000 FSA employees, U.S. Department of
Education Employees, Financial Aid Directors, Financial Aid Administrators, Destination PointAdministrators, Call Center Representatives, Developers and Contractors.The TFA project is focused on privileged users. A privileged user is anyone who can see morethan just their own personal data. In this context, personal data is defined as PersonallyIdentifiable Information (PII). PII is “any information about an individual maintained by anagency, including (1) any information that can be used to distinguish or trace an individual‘sidentity, such as name, social security number, date and place of birth, mother‘s maiden name, orbiometric records; and (2) any other information that is linked or linkable to an individual, suchas medical, educational, financial, and employment information.”2Examples of PII include, but are not limited to:• Name, such as full name, maiden name, mother‘s maiden name, or alias• Personal identification number, such as social security number (SSN), passport number,driver‘s license number, taxpayer identification number, or financial account or creditcard number• Address information, such as street address or email address• Personal characteristics, including photographic image (especially of face or otheridentifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retinascan, voice signature, facial geometry)3In order to “Lock Down” FSA systems at postsecondary schools the Primary Destination PointAdministrator (PDPA) or Security Administrator for each school will need confirm (attest) whois authorized to access Federal Student Aid systems on behalf of the school. Similar leadershiproles will be identified in each of the third party entities supporting the distribution of Title IVAid.Upon confirmation of the authorized users, FSA will send tokens to the PDPA. The PDPA willbe responsible for providing a token to each authorized user such as a Financial AidAdministrator (FAA). The end user in this scenario, the FAA, will then register their tokenonline.The TFA initiative impacts several FSA systems. We plan to implement system changes forTFA in a phased approach from October 2011 through February 2012.Available Now – FAA Access to CPS OnlineOctober 24, 2011 – COD SystemDecember 18, 2011 – NSLDS and eCB SystemFebruary 12, 2012 – SAIG/EDconnect2This definition is the GAO expression of an amalgam of the definitions of PII from OMBMemorandums 07-16 and 06-19. GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of PersonallyIdentifiable Information, May 2008, http://www.gao.gov/new.items/d08536.pdf. 3NIST GUIDE TO PROTECTING THE CONFIDENTIALITY OF PERSONALLY IDENTIFIABLE INFORMATION (PII),SP 800-122, April 2010 http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
The TFA rollout is planned to run from Fall 2011 through Fall 2012. During Q3 and Q4 of FY2011, over 6,000 TFA tokens were issued to FSA employees and U.S. Department of Educationemployees. The next phase of deployment is the postsecondary schools. As we implement thesystem changes, we will also begin rolling out token information and tokens to the domesticschool community.Fall 2011 – Authorized users in the DeVry University system of schools have received andregistered their tokens.December 2011 – Authorized users at domestic schools in Delaware, Maryland, Virginia, WestVirginia, and the District of Columbia will receive and register their tokens.February 2012 through September 2012 – All authorized users at the remaining domestic schoolswill receive and register their tokens and begin to use them for all systems noted above. We planto roll out TFA to the remaining schools in approximately eight different groups of states. Justprior to initiating contact with the schools in each group, we will post an electronicannouncement that provides notice of the states included in that group.We must do a better job as stewards of PII and to improve our security posture against dataleaks. This is a shared responsibility of not only FSA and U.S. Department of Educationassociates, but all those who access our systems on behalf of our students. We cannot completethis without your help. For more information on TFA, please stop by one of our three sessionswhere we will go into more detail on the protection of PII and the TFA rollout.