Educause Security Discussion mailing list archives
Re: Protecting workstations with Duo
From: "Scantlin, Aaron J." <ScantlinA () MISSOURI EDU>
Date: Wed, 7 Jun 2017 18:48:38 +0000
I disagree; I am much more apt to leaving my phone somewhere than I am my keys (where my YubiKey lives). That said, I imagine there are plenty of people where the opposite is true, so as Rich said, choose a solution that provides an acceptable balance of security and usability WRT your organization’s workflow. FWIW, I really like using the YubiKey as a second factor for Windows login… if the key is not inserted, the user attempting to login will get an authentication error, but it doesn’t tell you that it’s because you’re missing the YubiKey. Another handy trick a fellow MU employee shared with me is creating a “password prefix” that only you know and configuring the second mode (3 second press) on the YubiKey to be a long, random string; you can then set your password as the concatenation of your password prefix and YubiKey mode two output… I refer to it as 1.5 FA. ;) Aaron J. Scantlin Security Analyst, Division of IT GSEC, GCFA University of Missouri, Columbia (W) +1-573-884-7555 (C) +1-573-424-0539 scantlina () missouri edu<mailto:scantlina () missouri edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rich Graves Sent: Wednesday, June 7, 2017 1:31 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Protecting workstations with Duo The nice thing about many of the typical Duo factors is that they are slightly less likely to be stolen or left unattended than a Yubikey or smartcard. Of course, if you allow voice call to your desktop phone as a backup factor, which is something that we actually recommend to most people for pretty good reasons, that's not going to protect your desktop computer. Regardless, make sure the security/usability ratio is meaningfully positive. On Wed, Jun 7, 2017 at 1:24 PM, randy <marchany () vt edu<mailto:marchany () vt edu>> wrote: I use Yubikey as my standalone 2nd factor (no duo). I have it tied to my local accounts on my laptops (standalone). THe yubico setup is pretty straightforward to set up. -r. On Wed, Jun 7, 2017 at 1:23 PM, Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote: I'm curious if anyone has deployed (or is thinking of deploying) MFA on their workstation logins via Duo. It looks like it can be done, but it isn't very straight-forward. It requires a local workstation client, and to manage the users via Group policy. Our goal is to require MFA for admin accounts only (for now). I'm wondering if anyone has already deployed this. Thanks! ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221<tel:(845)%20437-7221>
Current thread:
- Protecting workstations with Duo Emily Harris (Jun 07)
- Re: Protecting workstations with Duo Frank Barton (Jun 07)
- Re: Protecting workstations with Duo Greg Williams (Jun 07)
- Re: Protecting workstations with Duo randy (Jun 07)
- Re: Protecting workstations with Duo Rich Graves (Jun 07)
- Re: Protecting workstations with Duo Scantlin, Aaron J. (Jun 07)
- Re: Protecting workstations with Duo Emily Harris (Jun 07)
- Re: Protecting workstations with Duo Rich Graves (Jun 07)
- Re: Protecting workstations with Duo Rich Graves (Jun 09)