Re: [EXTERNAL] Re: [SECURITY] MFA LMS

[Ravi Kotecha <kotechar () BRANDEIS EDU>]

At Brandeis, all of our employees and students are required to use DUO for
MFA. Every application that uses our Shibboleth SSO implementation requires
using MFA. We do allow users to select the "remember me for 30 days"
option, which makes it a little less cumbersome for some users.

With most of the Spring semester and now the summer term remote, we still
have not had an uptick in 2fa support requests. At the outset, we did offer
hardware tokens to anyone who requested them. The bulk of these were
faculty and students who either did not have a mobile phone or would be in
an area where internet and cellular connectivity are sparse.

> From an initial onboarding perspective, students needed help setting up the
DUO solution at around a 2% clip, while faculty edged higher near the
10-12% mark. Ongoing support is minimal. Largely we deal with enrolling new
devices or supporting folks who haven't logged in in a while and need a
refresher.

I hope this helps!
--
Ravi Kotecha '10, M.S. '14, M.S. '20
Privacy & Information Security Analyst
Information Technology Services
x67284 | security () brandeis edu


On Thu, Jun 25, 2020 at 9:56 AM Jones, Mark B <Mark.B.Jones () uth tmc edu>
wrote:

> We are using the SAML option for Canvas authentication and our SAML
> solution requires MFA.
>
> It is working well.
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Garrett McManaway
> *Sent:* Wednesday, June 24, 2020 3:12 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] MFA LMS
>
>
>
> ***** EXTERNAL EMAIL *****
>
> All,
>
>
>
> I am curious if anyone is currently using or looking at using MFA in front
> of their LMS and in particular Canvas? As the new norm is pointing towards
> far more online learning that we will eventually see more interest in
> maliciously accessing course content.
>
>
>
> The scenario I am thinking of is that of hacktivist catching on to the
> news stories that are challenging the idea that HigherEd is offering a
> watered down product at the same cost and then posting course material
> online that they obtained illegally. Of course nothing is stopping someone
> with legit access from doing the same but I think less feasible in my mind.
>
>
>
> Garrett McManaway
>
> CISO & Sr. Director
>
> C&IT - Information Security and Compliance
>
> Wayne State University
>
> Phone: 313-577-3454
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=IZHbDoPNMpquVBHMEWE6w1uzMe0kviQZ8uRyknFkDBs&s=dbhw8ciFloyK4nV42wNPbwFKlYSWXNklEIisi7A__2g&e=>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community