Phishing attacks targeting traditional authentication with MFA (including TOTP, SMS and Push) are becoming more frequent where the University routinely sees login pages spoofed and credentials replayed. Adjustments to security awareness training and authentication processes are no longer able to keep pace in preventing such attacks, causing responses to be reactive rather than proactive. A single authenticator and flat assurance level is insufficient for protecting a range of university systems. Therefore, the University seeks to deprecate its traditional authentication systems for proactive protection of standard and high value targets, replacing it with a single unified service based around phishing resistant passkeys and device posture. Single sign on is one of few common layers which span a highly distributed technology environment. This common layer has the potential to enforce security standards on endpoints prior to permitting access. Single sign on also has the potential to limit access to systems to specified relationship types, thus better separating authentication from authorization in a very distributed environment. Both goals are consistent with zero trust principles. Therefore, the University seeks to implement and utilize these capabilities. The way in which a person is affiliated with the University can and often does change multiple times over many years. A person may be in a role which handles sensitive data in files and emails and later moves to a role where this is no longer true. Today, the identity and email accounts remain unchanged throughout these moves. When a person moves to a less sensitive role, the same understanding and protection may no longer be present, even when sensitive data still is. Therefore, the University seeks to implement a scheme to either require a change of identity, require a removal of data and access, or require the same strong protection to remain in place.
