Penn WebLogin two-step verification: Rollout to an Organization
Here are some resources and recommendations for rolling out two-step
verification to an entire organization or group of people, e.g. those
with access to confidential University data.
- Note that the pilot is limited to faculty, full-time permanent staff, and students right now.
- Give LSPs a heads-up about rollout plans, recommending they review the service page, enroll themselves, and review the LSP-specific advice. In addition, you may wish to hold a brown bag session for your LSPs using these slides.
- Consider requiring each person to attend a brown bag setup clinic where you or an LSP walks attendees through the setup process.
- Make sure users know where to get help with problems logging in or opting in (i.e. who their LSP is).
- You may wish to send periodic reports to managers to let them know who hasn't enrolled yet. (Contact the project team at TWO-FACTOR-PILOT-PROJ@LISTS.UPENN.EDU for access.)
Timeline & Communications
Here is a calendar with suggested dates and sample announcements for the rollout.
Not everyone in the group will have a mobile device, or if they do have
one, they may not want to use it for business purposes. As part of the
rollout, plan to purchase key fobs for some portion of the group.
In ISC, 20% of users did not have or did not wish to use a smartphone, so
SafeID/Blade key fobs (hardware tokens)
from Deepnet Security were used.
- Fobs are available at the Computer Connection for $17 each. If
you need a large number of them, you may wish to call first to verify
availability, or to request a special order (Paul Culkin - Departmental Order
Supervisor 898-0889, firstname.lastname@example.org).
- Plan for ongoing purchase needs - for new faculty/staff members, to
replace broken or lost fobs, etc.
- Plan to retire a fob upon the user's separation from Penn (with attendant opt-out of 2SV). However, it's also permitted to allow a person to keep it and just opt them out if support issues arise.