Educause Security Discussion mailing list archives
Re: Two-Factor Authentication
From: Harry Hoffman <hhoffman () IP-SOLUTIONS NET>
Date: Thu, 5 Sep 2013 12:54:11 -0400
Hi David, I don't know if this will work in your environment but we have something similar to CAS called Weblogin. When a user is enrolled in 2fa and haven't authenticated to a web app then they are redirected to weblogin (same as with CAS) to provide their initial set of authentication credentials (userid + password). Weblogin checks to see if they are enrolled in 2fa and if so presents them with a page to enter their code. Once this is successful redirection happens as normal (i.e. w/o 2fa). CAS (at least some versions) are capable of doing multiple authentication methods so I believe that this is feasible to implement. If you want more information let me know and I can get you in contact with some of the folks here who run our 2fa and weblogin environments. Cheers, Harry On 09/05/2013 12:30 PM, David Curry wrote:
We have two-factor authentication enabled for our domain - in the sense that we allow individual users to turn it on, not that we require them to. Unfortunately, it doesn't work if you're using single sign-on, such as a CAS server, as we are. It's documented not to work, so it's not a bug, but it's unfortunate. So you (as a user) can set up the Google Authenticator for your GAE account, but if your domain is using single sign-on, you'll never actually be prompted to use the Authenticator to sign in. :-( -- *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011 +1 212 229-5300 x4728 • david.curry () newschool edu On Thu, Sep 5, 2013 at 12:26 PM, Dennis Bolton <bolton () oakland edu> wrote:We too are seeing an increase in compromised Gmail accounts. With the compromise limited to the Gmail side (e.g. we have the credentials trying to be used against other services). We also have not yet turned on two-factor authentication for our Google Apps domain and would be hearing feedback. Dennis Bolton Network Security Analyst Oakland University 248-370-4803 bolton () oakland edu On Thu, Sep 5, 2013 at 12:15 PM, Peter Setlak <psetlak () colgate edu> wrote:All, We are being hit with a number of compromised student Gmail accounts. We have not yet turned on two-factor authentication for our Google Apps domain. Has anyone here enabled this feature? Did users take to it? Was it mandatory or optional? How extensive was your campaign and communications to end-users? Were there major caveats, issues, etc? Has anyone implemented other solutions to combat this (or similar) issues? -- Thank you, Peter J. Setlak Managing Director, Networks, Systems & Operations Network Security Analyst, GSEC, GLEG Colgate University --- psetlak () colgate edu (315) 228-7151 Case-Geyer 180H (NSO Suite) skype: petersetlak Think *Green!* Please consider the environment before printing this email. *Engage with Colgate University: * News blog <http://blogs.colgate.edu/>, Twitter<https://twitter.com/#%21/colgateuniv> , Facebook <https://www.facebook.com/colgateuniversity>, Google+<https://plus.google.com/u/0/b/113333907606560373469/> , Delicious <http://www.delicious.com/colgatenewsmakers>, YouTube<http://www.youtube.com/cuatchannel13> , Flickr <http://www.flickr.com/photos/colgateuniversity/>, Pinterest<http://pinterest.com/colgateuniv/> , LinkedIn <http://www.linkedin.com/company/colgate-university/>-- Dennis Bolton Network Security Analyst Oakland University 2200 N Squirrel Road Rochester MI 48309 248-370-4803
Current thread:
- Two-Factor Authentication Peter Setlak (Sep 05)
- Re: Two-Factor Authentication Dennis Bolton (Sep 05)
- Re: Two-Factor Authentication David Curry (Sep 05)
- Re: Two-Factor Authentication Harry Hoffman (Sep 05)
- Re: Two-Factor Authentication Peter Setlak (Sep 05)
- Re: Two-Factor Authentication William G. Thompson, Jr. (Sep 09)
- Re: Two-Factor Authentication David Curry (Sep 05)
- Re: Two-Factor Authentication Dennis Bolton (Sep 05)
- Re: Two-Factor Authentication David Escalante (Sep 05)