Re: [External] [SECURITY] Duo/2FA exemption policies

[Jeremy Rosenberg <rosey () BERKELEY EDU>]

The help desk can issue a temporary code for one hour for people who left their phone at home. That’s enough time for 
them to get in and print more backup codes. If they are traveling and get into trouble, the help desk is authorized to 
issue a 12 hour code.  For new users who are caught off guard by the need for a second factor while setting up their 
computing account, can actually have a 7 day code.  Which is enough time for them to get to a help desk and pick up a 
free hardware token. I bought 2000 of them at about $3 each and handed out about 1200. Mostly to people who were very 
worried their phone wouldn’t work all the time. I considered them to be $3 safety blankets to get me through the roll 
out. I don’t expect them to get much use over time.

While these may technically be exceptions to MFA in that while they are using the temporary code they are just using 
two things they know (a passphrase and a temporary code) they are still going through all the same steps of using the 
MFA system. So there is no exception from the inconvenience. We are just giving them a less secure second factor for a 
limited time while they get their proper and more convenient second factor working again.

Philosophically, I consider it a disservice to let someone go without a second factor, not a privilege or a favor. It 
is not ok to leave people without this important protection just because they have some unique challenge. It is up to 
us to figure out how to keep them safe and let them get their work done.

Jeremy

=======================================
Jeremy Rosenberg
Chief Information Security Officer
UC Berkeley

> On Aug 14, 2019, at 6:14 AM, Gregg, Christopher S. <csgregg () STTHOMAS EDU> wrote:
>
> When we first rolled out MFA (Microsoft version), hardware tokens weren’t an option so we exempted people who claimed 
> to not have a cell phone (and a couple who argued about not wanting to use a personal phone for work).  In the end 
> that was about 40 people out of 28,000 account holders.  We’re now in the process of deploying tokens to those 
> people, so essentially we won’t have any exceptions soon.
>  
> We also have a process in place to allow the help desk to temporarily disable MFA for people who are in the process 
> of replacing a lost/broken phone, but I assume you are looking for ongoing/long-term exceptions.
>  
> We don’t have these exceptions in print as part of a policy other than the general disclaimer that the CISO or a 
> delegate should be contacted for any exceptions to the Data Security Standards policy, which states that all Red and 
> Yellow data systems should be protected by MFA.
>  
> Thanks,
>  
> Chris
>  
>  
> Chris Gregg
> Associate Vice President of Information Security & Risk Management, CISO
> Innovation & Technology Services (ITS)
> csgregg () stthomas edu <mailto:csgregg () stthomas edu>
> p 1 (651) 962-6265
> University of St. Thomas | stthomas.edu <https://www.stthomas.edu/>
>  
>  
>  
> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV 
> EDUCAUSE EDU>> On Behalf Of Kristen Dietiker
> Sent: Tuesday, August 13, 2019 6:07 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: [External] [SECURITY] Duo/2FA exemption policies
>  
> I'm interested in knowing the circumstances under which other institutions exempt users from 2FA requirements. If you 
> have a policy or standard operating procedure covering this, I'd appreciate the share. Thank you!
>
> Kristen Dietiker
> Chief Information Security Officer
> Santa Clara University
> (408) 554-5554
> _______________________________________________________________
> Duo 2-Factor Authentication is coming! Learn more at https://www.scu.edu/duo 
> <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.scu.edu%2Fduo&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cc52e6fa654de4ed4d3dc08d720430296%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637013344506896446&sdata=uwPm2XD6GYdKEb1xnUF6%2FW%2BcZfRYmqKzqIJsc5szncw%3D&reserved=0>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
> person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
> and subscription information can be found at https://www.educause.edu/community 
> <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cc52e6fa654de4ed4d3dc08d720430296%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637013344506896446&sdata=peH4jw%2FBk42Owcqs4rzVg1YyYc2gX0cgGQRWNtRh94c%3D&reserved=0>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
> person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
> and subscription information can be found at https://www.educause.edu/community <https://www.educause.edu/community>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community