Educause Security Discussion mailing list archives
Re: [External] [SECURITY] Duo/2FA exemption policies
From: Jeremy Rosenberg <rosey () BERKELEY EDU>
Date: Wed, 14 Aug 2019 09:33:02 -0700
The help desk can issue a temporary code for one hour for people who left their phone at home. That’s enough time for them to get in and print more backup codes. If they are traveling and get into trouble, the help desk is authorized to issue a 12 hour code. For new users who are caught off guard by the need for a second factor while setting up their computing account, can actually have a 7 day code. Which is enough time for them to get to a help desk and pick up a free hardware token. I bought 2000 of them at about $3 each and handed out about 1200. Mostly to people who were very worried their phone wouldn’t work all the time. I considered them to be $3 safety blankets to get me through the roll out. I don’t expect them to get much use over time. While these may technically be exceptions to MFA in that while they are using the temporary code they are just using two things they know (a passphrase and a temporary code) they are still going through all the same steps of using the MFA system. So there is no exception from the inconvenience. We are just giving them a less secure second factor for a limited time while they get their proper and more convenient second factor working again. Philosophically, I consider it a disservice to let someone go without a second factor, not a privilege or a favor. It is not ok to leave people without this important protection just because they have some unique challenge. It is up to us to figure out how to keep them safe and let them get their work done. Jeremy ======================================= Jeremy Rosenberg Chief Information Security Officer UC Berkeley
On Aug 14, 2019, at 6:14 AM, Gregg, Christopher S. <csgregg () STTHOMAS EDU> wrote: When we first rolled out MFA (Microsoft version), hardware tokens weren’t an option so we exempted people who claimed to not have a cell phone (and a couple who argued about not wanting to use a personal phone for work). In the end that was about 40 people out of 28,000 account holders. We’re now in the process of deploying tokens to those people, so essentially we won’t have any exceptions soon. We also have a process in place to allow the help desk to temporarily disable MFA for people who are in the process of replacing a lost/broken phone, but I assume you are looking for ongoing/long-term exceptions. We don’t have these exceptions in print as part of a policy other than the general disclaimer that the CISO or a delegate should be contacted for any exceptions to the Data Security Standards policy, which states that all Red and Yellow data systems should be protected by MFA. Thanks, Chris Chris Gregg Associate Vice President of Information Security & Risk Management, CISO Innovation & Technology Services (ITS) csgregg () stthomas edu <mailto:csgregg () stthomas edu> p 1 (651) 962-6265 University of St. Thomas | stthomas.edu <https://www.stthomas.edu/> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Kristen Dietiker Sent: Tuesday, August 13, 2019 6:07 PM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [External] [SECURITY] Duo/2FA exemption policies I'm interested in knowing the circumstances under which other institutions exempt users from 2FA requirements. If you have a policy or standard operating procedure covering this, I'd appreciate the share. Thank you! Kristen Dietiker Chief Information Security Officer Santa Clara University (408) 554-5554 _______________________________________________________________ Duo 2-Factor Authentication is coming! Learn more at https://www.scu.edu/duo <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.scu.edu%2Fduo&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cc52e6fa654de4ed4d3dc08d720430296%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637013344506896446&sdata=uwPm2XD6GYdKEb1xnUF6%2FW%2BcZfRYmqKzqIJsc5szncw%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cc52e6fa654de4ed4d3dc08d720430296%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637013344506896446&sdata=peH4jw%2FBk42Owcqs4rzVg1YyYc2gX0cgGQRWNtRh94c%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://www.educause.edu/community>
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: Duo/2FA exemption policies, (continued)
- Re: Duo/2FA exemption policies James Farr (Aug 14)
- Re: [External] [SECURITY] Duo/2FA exemption policies Gregg, Christopher S. (Aug 14)
- Re: [External] [SECURITY] Duo/2FA exemption policies Phill Moran (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Gene LeDuc (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Gregg, Christopher S. (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Valdis Klētnieks (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Gene LeDuc (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Valdis Klētnieks (Aug 14)
- Message not available
- Re: [Ext] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies John Kristoff (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Phill Moran (Aug 14)