Educause Security Discussion mailing list archives
Re: [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies
From: Valdis Klētnieks <valdis.kletnieks () VT EDU>
Date: Wed, 14 Aug 2019 19:49:00 -0400
On Wed, 14 Aug 2019 16:03:48 -0700, Gene LeDuc said:
You can dump a list of OTPs for the user, give them a hardware token, other options. This is not an insurmountable problem unless the user chooses to make it one. If MFA is a requirement, it's a requirement.
Yes, a proper deployment of course has multiple recovery options because *eventually* somebody is going to have their phone go walkies somewhere between Chicago and Frankfurt, or similar bad events. But it's different than what you originally said:
If the Duo account doesn't have any devices, then the user logs in with credentials and gets to register a new device, problem solved and no temp
The reason I pointed it out is because it matters: the single biggest reason for MFA deployments to go poorly is having a simple-minded "oh the user just has to XYZ" recovery plan rather than actually thinking through and having multiple recovery methods to deal with different failure modes... (Sorry to be pedantic, but security is a field where glossing over details is a good way to end up on the front page of the local newspaper for all the wrong reasons...) ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Attachment:
_bin
Description:
Current thread:
- Duo/2FA exemption policies Kristen Dietiker (Aug 13)
- Re: Duo/2FA exemption policies Orlando Leon (Aug 13)
- Re: [EXTERNAL] [SECURITY] Duo/2FA exemption policies Bandy, John (Aug 14)
- Re: Duo/2FA exemption policies James Farr (Aug 14)
- Re: [External] [SECURITY] Duo/2FA exemption policies Gregg, Christopher S. (Aug 14)
- Re: [External] [SECURITY] Duo/2FA exemption policies Phill Moran (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Gene LeDuc (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Gregg, Christopher S. (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Valdis Klētnieks (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Gene LeDuc (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Valdis Klētnieks (Aug 14)
- Message not available
- Re: [Ext] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies John Kristoff (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Phill Moran (Aug 14)