Re: Seeking insights on Two-factor Authentication roll-out from those who implemented at their campuses

[Don Murdoch <djmurd () COX NET>]

Greetings. Some thoughts from the commercial sector… Fortune 500.

 

 

General – we chose Entrust Identity guard for a F/500 org who needed graduated roll out by user population. Key factors 
included:

 

a)     The ability to put a PDF based 2FA “card” into the hands of a user, where the user self enrolled on the inside 
of the network (protected site, more or less) and then they could use the token outside. Other solutions capable – 
plastic card, smart card, fob. The PDF option made for a nearly zero cost deployment when coupled with good directions, 
an email campaign, zero cost/quick “reissue” process through self-enrollment site, and individualized security 
questions. 

b)    The 2FA grid is a NxN card – suggested 4x8 to 6x12. It has numbers down the side and letters across the top. On 
an integrated site -> the user is prompted to enter the grid coord’s during authentication process. For example, prompt 
the user for I1, B3, C4. They then type in the letter – say Z, 4, G. 

c)     In our case, they needed to auth to A.D. first (multiple domains in play), and then answer the grid prompt. SO – 
you needed an active account, and then the active 2FA device. Therefore we captured a “real login”, and then a 
supplemental authentication. This allowed us to have great “where did they come from” logging before full admittance.

d)    ON the grid – we chose 5x10 because that print size was the most we could get and be readable by a person with 
20/60 vision. 

e)     IDG supports a “secondary email address” for users have their grid sent, aside from their work email address. 
This had s particular advantage. Users can send the 2FA grid to home email addy, and then read home mail on phone, 
store the PDF on smart phone. Very handy. Also solves the “how do I get my grid again” problem nicely. 

f)     The solution supported checking an AD group, or some other AD attribute, to determine if an integrated 
site/solution would perform the 2FA prompt. This was beneficial as we could “add” users to the solution over time. 

 

1.         What provider did you select (Duo, Vasco, others)?



Entrust Identity Guard, experience with RSA using both soft and physical tokens. 

2.      Did you implement two-factor across all systems or just selected systems?



Entrust IDG – remote access via Citrix for Internet accessible usersbase was the primary use case.

RSA – most of the UC’s defined by RSA are in use. No negatives observed as a consumer of same.

3.      If you are using a hosted email solution (such as Google Apps or Office 365), did you include that in your 
two-factor roll-out?


4.      Did you include all faculty and staff or just selected users?
In our case, the FTE population is in scope. That’s 7,000+ users for the Entrust IDG, and a whopping number for the RSA 
piece. 

5.      Did you include students or allow for “student opt-in?”


6.      For ongoing two-factor administration, what level of staffing has it required?



My experience in the commercial space is that graduated roll out is labor intensive. You need to understand how to do 
this for your org. It was very much worth trying to define the user population who received the E/IDG token and the RSA 
token. Then you need to *clearly* have process for end users to *quickly* get a new “device”. If you don’t work that 
out ahead of time you will be in very unhappy land. 

7.      Based on your roll-out experience, what key bit of advice might you offer to those of us considering this move?



 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas 
Skill
Sent: Wednesday, June 03, 2015 9:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Seeking insights on Two-factor Authentication roll-out from those who implemented at their 
campuses

 

Mary 

 

Thanks for this post - As I gather responses, I be sure to share insights.

Tom

 




Thomas Skill, Ph.D.

Associate Provost & CIO 
Professor of Communication
Office (937) 229-3511
Fax (937) 229-4044

eMail: skill () udayton edu <mailto:tskill1 () udayton edu> 

Twitter: @skilltd <https://twitter.com/skilltd> 

Linkedin: http://www.linkedin.com/in/skilltd

 

UDit
University of Dayton
300 College Park 
Dayton, OH 45469-2230

 

On Tue, Jun 2, 2015 at 6:24 PM, Dunker, Mary <dunker () vt edu <mailto:dunker () vt edu> > wrote:

Tom,

Virginia Tech has not deployed a solution yet, but we have considered many of the same questions you list, so maybe it 
will be useful to share our thinking so far...

1.      What provider did you select (Duo, Vasco, others)?
Nothing purchased yet, but Duo looks like it will be the front runner for us.

2.      Did you implement two-factor across all systems or just selected systems?
We will attempt to implement 2-factor across all systems. We are starting by requiring it for applications whose users 
authenticate with the our NetID via CAS. Next, we plan to include applications that use Windows Active Directory 
credentials.

3.      If you are using a hosted email solution (such as Google Apps or Office 365), did you include that in your 
two-factor roll-out?
We use separate credentials for Google Apps, which already has two-step authentication, so Google Apps is not in scope. 
I think  Office 365 will be in scope.

4.      Did you include all faculty and staff or just selected users?
All, eventually, but we may start with a limited population.

5.      Did you include students or allow for “student opt-in?”
Students will be included, not likely optional.

6.      For ongoing two-factor administration, what level of staffing has it required?
To be determined.

7.      Based on your roll-out experience, what key bit of advice might you offer to those of us considering this move?
To be determined.

We'll be interested in hearing from others as well!

Mary

-----------------------------------------------------------------
Mary Dunker
Director, Secure Enterprise Technology Initiatives
Virginia Tech Information Technology
1700 Pratt Drive
Blacksburg, VA 24060
540-231-9327
dunker () vt edu <mailto:dunker () vt edu> 
--------------------------------------------------------------------


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () 
LISTSERV EDUCAUSE EDU> ] On Behalf Of Thomas Skill
Sent: Tuesday, June 02, 2015 1:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: [SECURITY] Seeking insights on Two-factor Authentication roll-out from those who implemented at their campuses


Colleagues,



At the University of Dayton, we are in the active planning stages for the deployment of Two-Factor Authentication.  
We’re very interested in hearing from campuses that have deployed two-factor authentication on the following questions:

1.      What provider did you select (Duo, Vasco, others)?
2.      Did you implement two-factor across all systems or just selected systems?
3.      If you are using a hosted email solution (such as Google Apps or Office 365), did you include that in your 
two-factor roll-out?
4.      Did you include all faculty and staff or just selected users?
5.      Did you include students or allow for “student opt-in?”
6.      For ongoing two-factor administration, what level of staffing has it required?
7.      Based on your roll-out experience, what key bit of advice might you offer to those of us considering this move?

My apologies for cross-posting this request - I shared this with the CIO list earlier with limited responses.   Valerie 
Vogel from Educause suggested that this list might be a better fit!



Thanks

Tom Skill







Thomas Skill, Ph.D.
Associate Provost & CIO
Professor of Communication
Office (937) 229-3511 <tel:%28937%29%20229-3511> 
Fax (937) 229-4044 <tel:%28937%29%20229-4044> 

eMail: skill () udayton edu <mailto:skill () udayton edu>  <mailto:tskill1 () udayton edu <mailto:tskill1 () udayton 
edu> >
Twitter: @skilltd <https://twitter.com/skilltd>
Linkedin: http://www.linkedin.com/in/skilltd

UDit
University of Dayton
300 College Park
Dayton, OH 45469-2230