Educause Security Discussion mailing list archives

Re: Duo: love it or not so much?

From: Emily Harris <emharris () VASSAR EDU>
Date: Tue, 15 Sep 2015 13:53:17 -0400

Faust:

With our upcoming implementation, we can either use the vendor supplied MFA
which only supports SMS (requiring Vassar to acquire a 3rd party SMS
service) or a 3rd party tool that integrates with CAS such as Duo.  My
initial understanding is that Duo does supply other options such as calling
a landline number or an alternate email address.  We have definitely
thought about the cellphone issue - but mostly for areas that we will be
enforcing MFA in the future, such as Finance.


----
Emily Harris
Interim Information Security Officer, CIS
Vassar College
845-437-7221

On Tue, Sep 15, 2015 at 1:36 PM, Faust Gorham <fgorham () csub edu> wrote:

Emily,

We implemented DUO when I was with UC Merced and found it to be an
excellent product. We integrated into several bastion hosts and on our
Cisco VPN appliance.

Our plans for future phases:

   - Integrate into SSO allowing for administrative determination of
   which services would require MFA
   - Self-service page where a user could request MFA for certain
   services where administratively we didn’t require it.

I think today, you see many other vendors providing this integrated into
their product offerings for example:

   - IDAAS (Okta)
   - Microsoft

So the question is, do you need a separate product?

One thing to note – policy decisions. MFA often requires a cell phone as
that second client (text, call, or mobile app) does the university now pay
for this device?

Cheers,
______________________________
Faust Gorham
Associate Vice President &
Chief Information Officer
California State University Bakersfield
https://www.csub.edu/its/
661-654-3425

From: The EDUCAUSE Security Constituent Group Listserv
Date: Tuesday, September 15, 2015 at 10:13 AM
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Duo: love it or not so much?

All:


We're preparing to launch Single Sign On architecture as part of a larger
IAM project, and we are looking at our options for 2-step verification /
2-factor authentication / whatever we like to call it these days.  We have
been advised that Duo is a good solution, and I am curious if others on
this list have any experiences they can share.  We are likely going to go
this way, so I am seeking any positive feedback or potential
warnings/gotchas we should look out for in our implementation.


Thank you so much!


----
Emily Harris
Interim Information Security Officer, CIS
Vassar College
845-437-7221

Current thread:

Duo: love it or not so much? Emily Harris (Sep 15)
- Re: Duo: love it or not so much? Haselhoff, Brent (Sep 15)
- Re: Duo: love it or not so much? Brad Judy (Sep 15)
- Re: Duo: love it or not so much? Paul Chauvet (Sep 15)
- Re: Duo: love it or not so much? Dennis Levine (Sep 15)
  - Re: Duo: love it or not so much? Rich Graves (Sep 16)
- <Possible follow-ups>
- Re: Duo: love it or not so much? Faust Gorham (Sep 15)
  - Re: Duo: love it or not so much? Emily Harris (Sep 15)