By Ann West, AVP for trust and identity, Internet2 and Steve Zoppi, AVP, Services Integration and Architecture, Internet2
Estimated reading time: 4 minutes
In October 2024, the National Science Foundation (NSF) announced new multi-factor authentication (MFA) requirements for Research.gov access. Those of you following along at home probably remember the National Institutes of Health (NIH) requiring MFA for access to their grants management system, eRA, in September 2021.
It’s not uncommon for each federal agency to announce overlapping but related compliance requirements for access to different systems based on security and/or business needs. This leaves higher education IT to juggle these overlapping but slightly different needs, each released at different timelines for different campus groups. It also forces IT to create complex systems that can simultaneously satisfy the highest standards of multiple regulatory frameworks while still remaining usable, affordable, and efficient for their diverse campus communities.
So How Do We Make It More Efficient and More Affordable?
The solution requires a conversation with those wanting the change, and those needing to respond to it, to agree on a systematic but flexible approach that balances technical capabilities, operational efficiency, and risk management. That’s what the InCommon Federation, the U.S. community access framework for research and higher education operated by Internet2, is all about.
To support the recent NSF and previous NIH changes, InCommon is working closely with these key federal agencies to ensure that:
- What you support for one through InCommon will work for the other when the time comes.
- The community can evolve the Framework to reflect the changing needs of its participants.
That’s the beauty of standards and a community-driven access framework.
For instance, when NSF announced in its October 11 Dear Colleague Letter that Research.gov users would need to enroll in MFA, the impact was minimal for most of the 122 organizations integrated with Research.gov through InCommon. Seventy-seven percent (77%) had MFA support in place thanks to earlier work with NIH’s grants management system. For researchers at these institutions, the transition was seamless – their login experience remained unchanged before and after the NSF deadline.
In the days before and after the deadline, InCommon staff worked with the remaining institutions and NSF to raise the total percentage to 95%. That means a week later, researchers at 116 institutions used their InCommon-enabled campus credential to sign into Research.gov., facilitating more time for discovery, less time for password management.
What’s in Store for the Future? More Change.
As we all know, NSF and NIH both are working to increase their security while containing costs, just like higher education.
Federal agencies are increasingly pushing campuses to strengthen authentication beyond basic MFA with a growing focus on phishing-resistant MFA protocols and enhanced identity assurance measures.
NSF is planning to leverage federation standards (REFEDS MFA Profile) to signal the need for MFA at the time of access (similar to NIH) through the InCommon Federation. Longer term, they are also requesting that InCommon-registered campus SSO systems be able to support phishing-resistant MFA. Other agencies are interested in this as well.
Building on the MFA rollout in 2021, NIH is also interested in campuses being able to signal identity assurance using the REFEDS Assurance Framework v2. InCommon is sponsoring a working group to update best practices around supporting this key standard.
We have work to do as a community and as professionals at our own organizations. Every step we take together strengthens not just our individual institutions, but our entire research and education community.
What Can You Do Now to Prepare?
1. Participate in the community discussion.
At the Internet2 Technology Exchange, we’ll be hosting a conversation about federal agency compliance and the access management portions in particular:
- What does the community need to support the federation standards? You can do your part to help more campuses support the MFA standards through InCommon.
- We’ll also be discussing phishing-resistant MFA requirements and techniques that are implementable at the campus level.
We’d love to see you there!
2. Develop your organization’s action plan.
- If you haven’t already, implement MFA as a default for campus SSO credentials, connect it into your InCommon-registered identity provider, and implement the REFEDS MFA Profile to signal that to federated partners.
- Review your identity assurance practices and reflect them in federation following REFEDS Assurance Framework v2 and the guidance the InCommon working group is developing.
- Stay engaged with InCommon and consider helping the community as we develop updated federation standards concerning phishing-resistant MFA.
Level Up Your Campus IAM Security
Here’s our challenge to you: Don’t wait for these changes to become mandatory. Make 2025 the year you level up your campus IAM security. Your researchers will do more discovery and less password management, and your IT security officer will thank you!
Feel free to reach out to help@InCommon.edu if you have questions or would like to discuss your IAM and MFA needs.
Contact Us