Educause Security Discussion mailing list archives
Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies
From: Phill Moran <phill () ASTRUMU COM>
Date: Wed, 14 Aug 2019 23:06:47 +0000
Duo has several mechanisms for this scenario - one time use codes, secondary methods, secondary devices and recovery.
If the account is set up completely (an issue I see a lot is where the secondary methods or recovery codes are not set
or saved) then this shouldn't happen; if it does; most all of the time it is because of failure to follow
policy/procedure. Your IT office should be able to validate you over the phone with a known ID method and then send a
recovery code for you to authenticate with.
Phill Moran
CISO/SecOps
Security | Engineering | Operations, AstrumU
e-mail: phill () AstrumU com | phone: 206.383.0947
On 8/14/19, 3:37 PM, "The EDUCAUSE Security Community Group Listserv on behalf of Valdis Klētnieks" <SECURITY ()
LISTSERV EDUCAUSE EDU on behalf of valdis.kletnieks () VT EDU> wrote:
On Wed, 14 Aug 2019 09:20:45 -0700, Gene LeDuc said:
> If the Duo account doesn't have any devices, then the user logs in with
> credentials and gets to register a new device, problem solved and no temp
> bypasses to undo.
How do you deal with the case of "the user's phone died last night, they have
to get work done today, and won't be able to actually get a new device for a
few days"? Not everybody who has an iPhone has the cash on hand to lay out for
a new one unexpectedly, and making them obtain a cheap burner phone they don't
want in order to get their MFA working isn't going to make the security office
any friends...
**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the
person who sent the message, copy and paste their email address and forward the email reply. Additional participation
and subscription information can be found at https://www.educause.edu/community
**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the
person who sent the message, copy and paste their email address and forward the email reply. Additional participation
and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: [EXTERNAL] [SECURITY] Duo/2FA exemption policies, (continued)
- Re: [EXTERNAL] [SECURITY] Duo/2FA exemption policies Bandy, John (Aug 14)
- Re: Duo/2FA exemption policies James Farr (Aug 14)
- Re: [External] [SECURITY] Duo/2FA exemption policies Gregg, Christopher S. (Aug 14)
- Re: [External] [SECURITY] Duo/2FA exemption policies Phill Moran (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Gene LeDuc (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Gregg, Christopher S. (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Valdis Klētnieks (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Gene LeDuc (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Valdis Klētnieks (Aug 14)
- Message not available
- Re: [Ext] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies John Kristoff (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Phill Moran (Aug 14)