We recently undertook a survey of whether and how universities and colleges in the UK are deploying multi-factor authentication (MFA) for use with Office 365. The survey was undertaken using the Jisc Online Surveys service between 22 April and 11 May 2020 and was primarily advertised via the OFFICE365-MANAGERS JiscMail mailing list.
We received 50 responses, including 3 cases where we had 2 responses from the same institution. Therefore the number of institutions represented in the survey was 47. Note that there were a couple of responses from institutions outside the UK. I have included these in this summary.
Our survey says…
The results of the survey are presented below. Of the institutions that responded, 41 indicated that they have deployed MFA in some form, 6 indicated they have not. Of the ones that have, about 1 in 5 have rolled it out for everyone and another third have done so for all staff. Of the rest (i.e. about half), most are in some kind of pilot mode, often with just IT staff (or ‘admins’) using MFA but with an expectation of wider deployment at some point in the future.
Here are the details…
Of the institutions that have not deployed MFA, the main blockers preventing them from doing so are:
Other reasons given included concern about the impact of MFA on legacy apps such as Thunderbird, the possibility of increased demand on service desk staff, and a lack of internal resources in the IT team.
Remember that this is based on a small number of responses.
The remainder of the questions below were only answered by institutions that have deployed MFA for Office 365.
When asked about the hurdles that had to be overcome to deploy MFA, not surprisingly, user acceptance was cited as the main issue:
‘Other’ reasons given included service desk reluctance, concerns about use of personal devices (mentioned twice), cost, broader university support for the change, project management issues and concerns about the ability to support shared group accounts.
The vast majority (over 90%) of respondents that have deployed MFA are using Azure AD. However, two respondents indicated the use of Duo and one is using an in-house Shiboleth-based solution.
When asked what second factors institutions are using, most reported either the authenticator app or SMS, with some use of voice calling and hardware tokens:
‘Other’ approaches included third-party email, U2F keys (Chrome only) and the use of an in-house app.
All or nothing
There were a variety of responses about how widely MFA is being deployed within each institution:
20% have deployed MFA for everyone and a further 30% have deployed it for all staff.
A large number of institutions are still in pilot phase, rolling out MFA to just IT Services or subsets of it. Two institutions have an opt-in approach (but are mandating it for ‘admins’). Several pilots are targeting either all staff or all staff and students but are not yet at that point. So it is a bit of a mixed picture currently.
The reasons given for only rolling out MFA to a subset of the institution echo many of the blockers and hurdles indicated above: concerns about use of personal devices, push-back from senior management, staff roll-out considered more important than student roll-out (because the latter are not seen as such a high risk), and cost are all factors. But it the main, it seems that many institutions are currently in pilot mode and that wider adoption will inevitably come in due course.
Other security features
When asked about the use of other security features in conjunction with MFA, the responses where as follows:
So, Conditional Access is the clear favorite.
The two ‘other’ responses mentioned Microsoft’s Identity Function and on-prem network access management tools.
Finally, and positively, when asked about whether user-acceptance had been positive, the responses were mainly ‘yes’:
Again, in the ‘other’ responses, concerns about the use of personal mobile devices was mentioned a number of times. Interestingly, one respondent suggested that students were much more positive than staff when presented with the requirement to use MFA.
It is clear from the survey results that there is a lot of activity around MFA for Office 365 within the UK HE/FE sector. About 1 in 5 of the institutions that are using MFA have rolled it out for everyone and another third have done so for all staff. This is good because, as Richard Jackson noted in his Top 10 security tips for deploying Teams blog post a couple of weeks ago, “99.9% of Office 365 compromises are due to the lack of MFA being enforced for the targeted end users“. However, there is clearly room for improvement.
Of course, some concerns remain, both for those institutions that have rolled out MFA to at least some of their users and to those that are yet to start. Those concerns are predominantly around user acceptance, particularly within senior management, but also come from those who have concerns about using personal devices for work purposes.
Overall though, I suggest that concerns about user acceptance are somewhat overplayed. In our own experience within Jisc, people get used to MFA very quickly – it’s a change and, like many changes, people are wary of it, but once in place it quickly becomes a non-issue for most people. The survey results seem to echo this.
For completeness, responses were received from the following institutions:
- Aberystwyth University
- Bangor University
- Birmingham City University
- Bishop Grosseteste University
- Cardiff University
- Chesterfield College
- City, University of London
- Goldsmiths College
- Imperial College London
- Lancaster University
- Leeds Beckett
- Leeds Trinity University
- London Business School
- Loughborough University
- Maynooth University
- MidKent College
- Newcastle University
- NUI Galway
- Perth College UHI
- Queen’s University Belfast
- Royal Agricultural University
- Staffordshire University
- Swansea University
- Teesside University
- TU Dublin
- Tyne Coast College
- University of Reading
- University of Aberdeen
- University of Bath
- University of Buckingham
- University of Cumbria
- University of Derby
- University of Dundee
- University of Greenwich
- University of Kent
- University of Lincoln
- University of Reading
- University of St Andrews
- University of Stirling
- University of Surrey
- University of Westminster
- University of Wolverhampton
- University of Warwick
Plus one response that didn’t provide an institution name.