Maintained for Historical Purposes

This resource is being maintained for historical purposes only and is not currently applicable.

(FS-2011-04) Subject: TFA Information - All Foreign Schools Must Use Two Factor Authentication Beginning October 1, 2011

Posted Date:August 3, 2011

Foreign School Update ID: FS-2011-04

Author: Pamela Eliadis, Service Director, System Operations & Aid Delivery Management, Federal Student Aid
William Leith, Service Director, Program Management, Federal Student Aid

Subject: TFA Information - All Foreign Schools Must Use Two Factor Authentication Beginning October 1, 2011

To comply with the United States Office of Management and Budget (OMB) mandate, Memorandum M07-16 attachment 1, and as part of our ongoing efforts to ensure the security of the Federal Student Aid data systems, we are implementing a security process through which all authorized users will be required to enter two forms of "authentication" to access Federal Student Aid systems via the Internet.

This security process, which is new to Federal Student Aid systems, is an established technology referred to as Two Factor Authentication (TFA).

  • The first factor is something that an individual knows—his or her User ID and Password.

  • The second factor is something that an individual has—a token that generates a One-Time Password (OTP).

TFA will require each authorized user to log in to our systems with a traditional User ID and Password as well as to provide an OTP generated by a registered token device that is in the physical possession of the user.

We will first implement TFA for authorized users at foreign schools that participate in the William D. Ford Federal Direct Loan (Direct Loan) Program. Following foreign school implementation, we will implement TFA for authorized users at participating domestic schools. This Foreign School Update provides a high-level overview of TFA implementation for foreign schools. We present the information as follows:

  • TFA Token Information

  • TFA Implementation and System Rollout Information

  • TFA Implementation and Token Distribution Communications

  • Contact Information

TFA Token Information

The TFA token is a small electronic device with a "power" button and a display screen on its front. To generate the OTP, the user will press the button on the front of the token. A different OTP will be generated each time the button is pressed and display for 30 seconds.

Federal Student Aid will provide tokens to each foreign school’s Primary Destination Point Administrator (PDPA) or Security Administrator. The PDPA or Security Administrator will then distribute a token and token registration information to each authorized user at the foreign school. The authorized user will register the token with each Federal Student Aid system he or she is responsible for accessing.

TFA Implementation and System Rollout Schedule

TFA for foreign schools will be implemented in several phases and will apply to the FAA Access to CPS Online Web site, Common Origination and Disbursement (COD) System, National Student Loan Data System (NSLDS), and Student Aid Internet Aid Gateway (SAIG) for users who access the SAIG via EDconnect.

  • The first phase was completed in Spring 2011 with authorized users at a small group of foreign schools. These users now access the FAA Access to CPS Online Web site under the TFA process using their tokens.

  • The second phase will expand TFA to authorized users at all foreign schools. All authorized users at the remaining foreign schools will receive and register their tokens.

    In addition, authorized users at these foreign schools who are responsible for accessing the FAA Access to CPS Online Web site must begin using TFA to access this Web site by October 1, 2011. Beginning on that date, each time an authorized user wishes to log in to the FAA Access to CPS Online Web site, the user will be required to enter a user ID, a password, and the OTP generated by the user’s registered token.

  • In late October 2011, authorized users at all foreign schools who are responsible for accessing the COD System will be required to use TFA to do so. Currently, this implementation is planned for October 23, 2011.

  • In mid-December 2011, authorized users at all foreign schools who are responsible for accessing the NSLDS will be required to use TFA to do so. Currently, this implementation is scheduled for December 18, 2011.

  • At a time yet to be determined, authorized users at all foreign schools who are responsible for accessing and downloading files from their SAIG mailboxes via EDconnect will be required to use TFA to do so. We will inform foreign schools of this implementation date as soon as it is available.

We will provide detailed information about the rollout of each TFA phase in advance of each phase’s implementation date. We ask foreign schools to monitor the IFAP Web site for the forthcoming guidance.

With the rollout of each TFA phase, each authorized user will need to register his or her token one time for each system. This means that for authorized users who access more than one of our systems the registration step will be completed more than once. However, the user will use the same token for all systems. Through our forthcoming guidance, we will inform schools when the registration component can be completed for each system.

Note: G5 is not affected by this TFA rollout. Authorized users at foreign schools who are only responsible for accessing G5 do not need to receive and register a token at this time.

TFA Implementation and Token Distribution Communications

Over the next two months, we will work with a foreign school’s PDPA or Security Administrator to implement TFA and distribute the tokens.

In addition to Foreign School Updates posted on the IFAP Web site, we will use e-mail to provide school-specific TFA token implementation information. These e-mails from Richard Gordon, Chief Information Officer for Federal Student Aid, will originate from the TFA Communications e-mail address provided below.

The e-mails to PDPAs and Security Administrators will be sent on a rolling basis, so some foreign schools may not be contacted immediately. We will begin sending the first set of e-mails on or about August 8, 2011 and anticipate distributing tokens to the PDPAs and Security Administrators at all foreign schools by September 1, 2011.

Note: If a foreign school was part of the small group that has already received and begun using the TFA token to access FAA Access to CPS Online Web site, no further action is required at this time.

Contact Information

We appreciate your cooperation in providing safe and secure access to Federal Student Aid systems and look forward to working with the foreign school community to implement TFA.

If you have questions about TFA or the information in this communication, contact us at TFA_Communications@ed.gov (TFA_Communications@ed.gov).

Last Modified: 08/02/2011