Re: 2fa for PeopleSoft

["Wiltzius, Robert L" <Robert.Wiltzius () GOTOLTC EDU>]

Greg,


GreyHeller has an ERP Firewall<http://www.greyheller.com/products/erp-firewall/>, which installs on the PeopleSoft web 
server and can force 2FA on pretty much what ever you want within PeopleSoft.  In order for 2FA to work properly 
though, you'll need to also couple the ERP Firewall with a 2FA delivery service, like Duo.com<http://duo.com>, which 
can increase the overall cost of the service.  GreyHeller's option will work pretty much right out of the box, but it 
comes at a cost.  The GreyHeller ERP Firewall is also modular, which means you can include the ability to apply rules 
based on their geographic area.  The Duo option offers the flexibility to choose which 2FA delivery option you would 
like to make available (phone call, text, soft token, etc).


Another option that will require a little bit more time to setup, but will ultimately save you a ton (from a licensing 
and maintenance support perspective) in the end is to leverage a PeopleSoft 2FA project that was created by Colton, 
which was published on his site, PeopleSoftMods.com.  A link to his project can be found 
here<http://www.peoplesoftmods.com/2fa/two-factor-authentication-in-peoplesoft-part-1/>.  This is the option that we've 
went down.  We are already successfully testing it in development and working on some enhancements.  This option 
leverages  Google Authenticator and we can even assign this as a role and apply the role to certain users.  Depending 
on the user and the purpose behind it, some users are in AD and some are locally authenticated.  This solution works 
with both.  We even have been able to white-list certain IP addresses so users are only prompted for 2FA when they are 
coming in or performing a certain action from an un-trusted network.  One thing to make note of is the Google 
Authenticator option requires the user to have a smart phone. <http://www.duo.com>


Thank you and have a great day,


Robert Wiltzius

WILM Network/Security Administrator
Lakeshore Technical College
1290 North Avenue
Cleveland, WI 53015
(920) 693-1755
Would you like to know more?<http://www.google.com/>



________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Greg Jackson 
<gjackson () SDCCD EDU>
Sent: Friday, June 2, 2017 11:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] 2fa for PeopleSoft


(Resending, since first try apparently bounced.)

I knew this at one time, but knowledge is fleeting (at least at my age) and often obsolete. So I’d appreciate help from 
anyone with current wisdom.

Here’s the question: What are the options to enable 2fa for PeopleSoft applications on a user-by-user basis (that is, 
some users are forced to use 2fa, for others it’s offered optionally, and neither of the above for the rest)?

For example, I’m wondering about native PS functionality, native functionality in the authenticating AD, third-party 
products associated with PS, ditto with AD.

And, if you have used one or more of these options, recommendations as to which works best?

Many thanks in advance for any public or private guidance you can provide!



Greg Jackson

sdccd.edu ● gjackson.us ● 1-619-388-6868 ● gjackson () sdccd edu