Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies

[Valdis Klētnieks <valdis.kletnieks () VT EDU>]

On Wed, 14 Aug 2019 09:20:45 -0700, Gene LeDuc said:

> If the Duo account doesn't have any devices, then the user logs in with
> credentials and gets to register a new device, problem solved and no temp
> bypasses to undo.

How do you deal with the case of "the user's phone died last night, they have
to get work  done today, and won't be able to actually get a new device for a
few days"?  Not everybody who has an iPhone has the cash on hand to lay out for
a new one unexpectedly, and making them obtain a cheap burner phone they don't
want in order to get their MFA working isn't going to make the security office
any friends...


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: _bin
Description: