Educause Security Discussion mailing list archives
Duo rollout question
From: Lawrence Furnival <lrf10 () TC COLUMBIA EDU>
Date: Wed, 8 Feb 2017 15:03:17 -0800
We are starting our rollout of Duo for certain groups of users. Like most schools we have had some “issues". Some of those have been confirmed to have been caused by malware but with others it is not so clear. As long as our users might be using the same password at our institution as with their Yahoo email or be subject to simple phishing, we can’t be sure. I am wondering if our Duo rollout might give us a window to determine an estimate of how many accounts in our population might be compromised. I.e. we turn on MFA and watch for failed login attempts from sketchy addresses. Obvious problems are if we push Duo invitations out by email to compromised accounts (we are not) or users stumbling with their devices at first giving us false positives. This is important to us because, for instance, if the estimated compromised rate goes above 1% on student accounts then we would require MFA for all student logins and not make it opt-in. If there are 10 cases we might remediate and move on. As students are likely to think MFA is a hardship, having even estimated data will help the CIO and VP make an informed decision, on a decision that could have significant push-back. We think our sample size has to be at least 500 so it has to be automated to a significant extent. Has anyone collected data like this during their MFA rollout? Thanks, Lawrence Furnival Security Architect Teachers College, Columbia University
Current thread:
- Sr. Compliance Analyst Opening Dan Lewis (Feb 08)
- Duo rollout question Lawrence Furnival (Feb 08)