Duo rollout question

[Lawrence Furnival <lrf10 () TC COLUMBIA EDU>]

We are starting our rollout of Duo for certain groups of users. Like most
schools we have had some “issues". Some of those have been confirmed to
have been caused by malware but with others it is not so clear. As long as
our users might be using the same password at our institution as with their
Yahoo email or be subject to simple phishing, we can’t be sure.

I am wondering if our Duo rollout might give us a window to determine an
estimate of how many accounts in our population might be compromised. I.e.
we turn on MFA and watch for failed login attempts from sketchy addresses.
Obvious problems are if we push Duo invitations out by email to compromised
accounts (we are not) or users stumbling with their devices at first giving
us false positives.

This is important to us because, for instance, if the estimated compromised
rate goes above 1% on student accounts then we would require MFA for all
student logins and not make it opt-in. If there are 10 cases we might
remediate and move on. As students are likely to think MFA is a hardship,
having even estimated data will help the CIO and VP make an informed
decision, on a decision that could have significant push-back.

We think our sample size has to be at least 500 so it has to be automated
to a significant extent. Has anyone collected data like this during their
MFA rollout?

Thanks,

Lawrence Furnival
Security Architect
Teachers College, Columbia University