Multi-Factor Authentication (MFA)
Project Status
Estimated project completion: see Projects
Executive Summary
McLennan Community College (MCC) is committed to protecting its digital infrastructure, institutional data, and the personal information of students, faculty, and staff. As part of this commitment and in alignment with MCC’s strategic goals of student success, operational excellence, and caring for people (McLennan Community College, n.d.), the college will implement Multi-Factor Authentication (MFA) using the Duo Security application.
This project aims to enhance identity protection and reduce the risk of unauthorized access to systems by requiring an additional layer of authentication beyond passwords. MFA will be rolled out in a phased approach, starting with the Information Systems and Services (ISS) department followed by faculty, staff, and students.
The project will require collaboration with MCC leadership and departmental stakeholders with a focus on usability, communication, training, and compliance. The estimated project cost is $100K. $72K will be funded by the State and Local Cybersecurity Grant Program through the Office of the Governor of Texas.
Business Need & Background
Eighty-one percent (81%) of web application breaches are traced to stolen credentials. This means that password-only security models are no longer sufficient. Multi-Factor Authentication adds an additional layer during the authentication process that vastly reduces the value of stolen credentials because the bad actor needs an additional factor to gain access.
Project Description & Scope
The project will prioritize the protection of Virtual Private Network (VPN) access and web-based authentication via Single Sign-On (SSO). Duo will be integrated with MCC’s existing authentication infrastructure to enforce MFA during logins to core services. As part of a broader transition to an SSO-first architecture, all new services and applications adopted by MCC will be required to use centralized SSO and, by default, be protected by MFA.
In-Scope Services and Deliverables
- Integration of Duo Security with MCC’s VPN to require MFA for remote access.
- Enforcement of MFA for Microsoft 365 and other SSO-enabled web applications.
- Deployment of Duo push notifications and passcodes via the Duo Mobile app.
- Centralized device management and monitoring for enrolled users.
- Training materials, user guides, and support documentation.
- Administrative dashboard setup and transfer of service ownership to IT Services.
Out-of-Scope Items
- Google student email accounts (to be addressed in a future phase).
- Physical security controls or campus card access systems.
- MFA for third-party services that do not currently support SSO integration.
- Migration or replacement of non-SSO legacy systems (to be addressed separately).
- Service(s) that are incompatible or not modernized will not be included in this project. However, those services will be migrated later.
Project Schedule
| Phase | Timeline | Fiscal Year | Notes/Academic Calendar Alignment |
|---|---|---|---|
| Requirements | February | 2025 | Develop application requirements to provide to vendor for verification. |
| Solution Analysis | March | 2025 | Analysis of Duo integration capabilities. Completed prior to Spring Break to ensure continuity. Identify SSO-enabled systems for Phase 1. |
| Design | May | 2025 | Occurs after Spring Finals (May 5–10). Includes Duo policy definitions, enrollment workflow design, and support model planning. Request pre-deployment admin accounts. |
| Code/Build | May-June | 2025 | Post-semester build window. Integration with VPN. Initial pilot testing (ISS staff only). |
| Test | June | 2025 | Conduct system-wide testing. Internal QA. Early user pilot. Adjustments made based on VPN/M365 login behavior and SSO reliability. |
| Train | July | 2025 | End-user training for staff/faculty during Summer I and II sessions. Avoids July 4 holiday and ensures Help Desk and Cybersecurity team are fully trained. |
| Deploy | July | 2025 | Go-live scheduled for late July, prior to start of Fall 2025 term (August 26). Provides a 3–4-week buffer to stabilize MFA adoption. |
Project Management and Governance
| Role | Name | Organization |
|---|---|---|
| Executive Sponsor | Johnette McKown | President |
| Executive Sponsor | Chadwick Eggleston | Vice President of Instruction & Student Engagement |
| Executive Sponsor | Mark Harmsen | Vice President of Finance & Administration |
| Executive Sponsor | Laura Wichman | Vice President of Strategic Planning & Enrollment |
| Project Oversight | Mario Leal | Chief Information & Technology Officer |
| Project Team (Manager) | John Segovia | Cybersecurity & Online Technologies Manager |
| Project Team (Technical Lead) | H. Nielsen | Cybersecurity Application & Support Specialist |
| Project Team | Daniel Brown | Cybersecurity Application & Support Specialist |
| Project Team | Laura J. Crapps | Cybersecurity Business Analyst |
| Infrastructure Point of Contact | Noah Daly | Infrastructure Manager |
| Customer Support Services Point of Contact | David Kuehne | Customer Support Services Manager |
| Administrative Systems Point of Contact | Vickie Peterson | Administrative Systems Manager |
Documentation
Last updated: 5/16/2025