Getting Ready for Multifactor Authentication (MFA): Status Update
The last CAF newsletter highlighted our ongoing effort to elevate the security posture of CAF participants. Focusing on security, we are continuing to work with the Trust and Identity Committee and our international partners to raise security baselines towards MFA as a minimum requirement. This minimum requirement is already in action as the National Institute of Health (NIH) in the US requires MFA, effective September 2021. As we expect this requirement to expand to other funding agencies, the CANARIE team is working towards ensuring that all CAF participants meet this requirement so that research and collaboration can continue without disruption.
For everyone that has contributed towards strengthening the recommendation set, we appreciate your help. If you are configuring MFA support and want to check if you are MFA compliant, here is a key resource:
In addition, we are working with CAF participants to secure federation-facing services with MFA. To learn more about federation support for MFA, if your institution is provided funding by the National Institute of Health in the US, or to ensure that MFA is used to access your services, please reach out to: email@example.com
eduroam Updates – Fragmentation and Aggregation Attacks (FragAttacks)
A new Wi-Fi security vulnerability called fragmentation and aggregation attacks “FragAttacks” has been detected. A FragAttack is an attack against Wi-Fi infrastructure and clients, rather than any specific wireless network. It’s used to attack unpatched Wi-Fi equipment due to design flaws in Wi-Fi. Even though eduroam is no more or less affected than any other enterprise Wi-Fi network, we recommend that you ensure your equipment and device patching is current and that you use the eduroam Configuration Assistant Tool (CAT) profile for your users to configure their devices.
We encourage you to use best practices for client security settings:
- Ensure that you have a Configuration Assistant Tool (CAT) profile available to download and that it is a requirement for your eduroam users as part of their onboarding. If you do not have a CAT profile, please reach out to: firstname.lastname@example.org
- Review your device settings to remove open/unsecured or automatically connecting Wi-Fi SSIDs to reduce the risk of untrustworthy access points.
- Discontinue the use of legacy/end-of-life Wi-Fi access points.
- Continue user communication about the mounting personal security and account compromise risks of using unpatched devices.
- Ensure you support 802.11w/PMF (Protected Management Frames) on your equipment.
CAF Workspace in Slack
The recently launched CAF Slack workspace has been a busy hub for communication and collaboration. We have significantly shortened the amount of time to address issues, and are using the Workspace to discuss new topics among the identity and access management community. There are a variety of channels specific to ongoing activities and discussions for both FIM and eduroam. This is a fantastic opportunity to engage directly with other members of the community, or just listen in and monitor progress. As your hosts, our CAF team is there, and we look forward to chatting with you.
For more information, please reach out to: email@example.com
Coming Soon: eduroam Usage Summary Reports and Dashboard
We are excited to share that eduroam reports will soon be available on the CANARIE Network Services Portal.
Once launched, if you support CAF Federated Identity Management you’ll be able to log in using your home credentials to access a wealth of information about eduroam usage at your organization as well as your users’ eduroam usage at visited sites. The dashboard provides a quick snapshot of eduroam usage for the past 7 days and the past 12 months, while monthly, quarterly, and annual reports are available in the Archived Reports section.
If you have any questions, please reach out to us directly at: firstname.lastname@example.org