Re: Two-Factor Authentication

[Harry Hoffman <hhoffman () IP-SOLUTIONS NET>]

Hi David,

I don't know if this will work in your environment but we have something
similar to CAS called Weblogin.

When a user is enrolled in 2fa and haven't authenticated to a web app
then they are redirected to weblogin (same as with CAS) to provide their
initial set of authentication credentials (userid + password). Weblogin
checks to see if they are enrolled in 2fa and if so presents them with a
page to enter their code.

Once this is successful redirection happens as normal (i.e. w/o 2fa).

CAS (at least some versions) are capable of doing multiple
authentication methods so I believe that this is feasible to implement.

If you want more information let me know and I can get you in contact
with some of the folks here who run our 2fa and weblogin environments.

Cheers,
Harry


On 09/05/2013 12:30 PM, David Curry wrote:
> We have two-factor authentication enabled for our domain - in the sense
> that we allow individual users to turn it on, not that we require them to.
>
> Unfortunately, it doesn't work if you're using single sign-on, such as a
> CAS server, as we are. It's documented not to work, so it's not a bug, but
> it's unfortunate. So you (as a user) can set up the Google Authenticator
> for your GAE account, but if your domain is using single sign-on, you'll
> never actually be prompted to use the Authenticator to sign in. :-(
>
>
>
>
> --
>
> *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY
>
> *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011
>
> +1 212 229-5300 x4728 • david.curry () newschool edu
>
>
>
> On Thu, Sep 5, 2013 at 12:26 PM, Dennis Bolton <bolton () oakland edu> wrote:
>
> > We too are seeing an increase in compromised Gmail accounts.  With the
> > compromise limited to the Gmail side (e.g. we have the credentials trying
> > to be used against other services).  We also have not yet turned on
> > two-factor authentication for our Google Apps domain and would be hearing
> > feedback.
> >
> > Dennis Bolton
> > Network Security Analyst
> > Oakland University
> > 248-370-4803
> > bolton () oakland edu
> >
> >
> > On Thu, Sep 5, 2013 at 12:15 PM, Peter Setlak <psetlak () colgate edu> wrote:
> >
> > > All,
> > >
> > > We are being hit with a number of compromised student Gmail accounts. We
> > > have not yet turned on two-factor authentication for our Google Apps
> > > domain. Has anyone here enabled this feature? Did users take to it? Was it
> > > mandatory or optional? How extensive was your campaign and communications
> > > to end-users? Were there major caveats, issues, etc? Has anyone implemented
> > > other solutions to combat this (or similar) issues?
> > >
> > > --
> > > Thank you,
> > >
> > > Peter J. Setlak
> > > Managing Director, Networks, Systems & Operations
> > > Network Security Analyst, GSEC, GLEG
> > > Colgate University
> > > ---
> > > psetlak () colgate edu
> > > (315) 228-7151
> > > Case-Geyer 180H (NSO Suite)
> > > skype: petersetlak
> > >
> > > Think *Green!* Please consider the environment before printing this
> > > email.
> > >
> > > *Engage with Colgate University:
> > > *
> > > News blog <http://blogs.colgate.edu/>, Twitter<https://twitter.com/#%21/colgateuniv>
> > > , Facebook <https://www.facebook.com/colgateuniversity>, 
> > > Google+<https://plus.google.com/u/0/b/113333907606560373469/>
> > > , Delicious <http://www.delicious.com/colgatenewsmakers>, YouTube<http://www.youtube.com/cuatchannel13>
> > > , Flickr <http://www.flickr.com/photos/colgateuniversity/>, Pinterest<http://pinterest.com/colgateuniv/>
> > > , LinkedIn <http://www.linkedin.com/company/colgate-university/>
> >
> >
> >
> > --
> > Dennis Bolton
> > Network Security Analyst
> > Oakland University
> > 2200 N Squirrel Road Rochester MI 48309
> > 248-370-4803