A person looking at their phone and laptop.
A person looking at their phone and laptop.

Multi-Factor Authentication (MFA)

Reliable identification for digital access
Duration
1 June 2023 until 31 December 2024
Project member(s)
B.V.L. Steen (Björn) A.M.W. Claassen (Wim) J.A. Cras (Hans) L.J.G. Mulders (Lourens) Y.W. Ehlers (Ydo) J.P. Brakkee (Hans) R.J. Euwijk (Ruben) , Kock, R. de (Ronald) , Heijden, F. van der (Frans) , Pennings, M.H. (Marloes)
Project type
ICT

MFA uses an additional identifier in conjunction with the password in order to establish with much greater certainty that the person trying to log in to your Radboud account really is you. 

The Information Security Organisation (IS organisation) Redevelopment Programme aims to develop an IS organisation that adequately deals with information security risks for Radboud University. The redevelopment process is based on a roadmap in which roles, actions and projects are implemented interdependently. In the past year, several steps have been taken, including the development of the IS organisation and the implementation of measures – one of which is the implementation of multi-factor authentication (MFA). MFA has already been implemented for a number of systems (for the entry of test results and IT management processes); it still needs to be rolled out for other systems and applications. This is the goal of this subproject.

MFA uses an additional identifier in conjunction with the password in order to establish with much greater certainty that the person trying to log in to your Radboud account really is you. This additional identifier is an application installed on your mobile phone; to use it, you just have to link it to your username once. This process is called ‘vetting’.

This is the same MFA procedure that everyone is already familiar with for Radboud University’s Microsoft 365 applications. This only applies to applications where you log in with the new Radboud account (volledigenaam [at] ru.nl (volledigenaam[at]ru[dot]nl)) instead of your U/S/E number. This is a major project (‘account consolidation’) that is already underway and is a prerequisite for MFA.

Approach

There are currently hundreds of applications for which MFA could be considered. To keep a clear focus, MFA will first be implemented for a priority list of applications that are most in need of MFA protection. It will then be rolled out to the remaining applications. At the moment, MFA is already in place for all Microsoft 365 applications (Teams, OneDrive, email).

The priority list: 
Datawarehouse, Bass, the CRM system Dynamics 365, Topdesk, the identity and access management system, workspace management (Werkplek voor beheer), TermTime, OfficeSuite email system, KMS, Osiris, Cirrus (will become ANS), Brightspace, Metis, RDR, Corsa and eduVPN.

Objectives

  • Introduce a form of multi-factor authentication suitable for all users and information services for Radboud University standard accounts.
  • MFA will become the standard for (almost) all applications within Radboud University.
  • Set up the capability to vet all users, associated with their MFA-enabled account, to achieve a higher level of user identity security than is currently the case.
  • Design and set up procedures for MFA lifecycle management.
  • Strike the right balance between ease of use and security of online information.