Re: [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies

[Valdis Klētnieks <valdis.kletnieks () VT EDU>]

On Wed, 14 Aug 2019 16:03:48 -0700, Gene LeDuc said:
> You can dump a list of OTPs for the user, give them a hardware token,
> other options.  This is not an insurmountable problem unless the user
> chooses to make it one.  If MFA is a requirement, it's a requirement.

Yes, a proper deployment of course has multiple recovery options because
*eventually* somebody is going to have their phone go walkies somewhere between
Chicago and Frankfurt, or similar bad events.

But it's different than what you originally said:

> > > If the Duo account doesn't have any devices, then the user logs in with
> > > credentials and gets to register a new device, problem solved and no temp

The reason I pointed it out is because it matters: the single biggest reason
for MFA deployments to go poorly is having a simple-minded "oh the user just
has to XYZ" recovery plan rather than actually thinking through and having
multiple recovery methods to deal with different failure modes...

(Sorry to be pedantic, but security is a field where glossing over details is a
good way to end up on the front page of the local newspaper for all the wrong
reasons...)


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: _bin
Description: