Re: Two-Factor Authentication

[Peter Setlak <psetlak () COLGATE EDU>]

David,

Good point! Thank you. To clarify what we are looking to implement, this
would not tie-in with CAS as we do not require our users to log in to our
portal in order to log in to Gmail. The 2-factor would SMS or call the
user's phone directly, without using the Google Authenticator app. In other
words, even though my network account and my gmail account sync to the same
password, only when/if I log in to gmail will I be presented with the 2fa
(except if I've set up application specific passwords for my mail clients).

I am curious, though, what else may be out there in use...

Thank you,
Peter


On Thu, Sep 5, 2013 at 12:54 PM, Harry Hoffman <hhoffman () ip-solutions net>wrote:

> Hi David,
>
> I don't know if this will work in your environment but we have something
> similar to CAS called Weblogin.
>
> When a user is enrolled in 2fa and haven't authenticated to a web app
> then they are redirected to weblogin (same as with CAS) to provide their
> initial set of authentication credentials (userid + password). Weblogin
> checks to see if they are enrolled in 2fa and if so presents them with a
> page to enter their code.
>
> Once this is successful redirection happens as normal (i.e. w/o 2fa).
>
> CAS (at least some versions) are capable of doing multiple
> authentication methods so I believe that this is feasible to implement.
>
> If you want more information let me know and I can get you in contact
> with some of the folks here who run our 2fa and weblogin environments.
>
> Cheers,
> Harry
>
>
> On 09/05/2013 12:30 PM, David Curry wrote:
> > We have two-factor authentication enabled for our domain - in the sense
> > that we allow individual users to turn it on, not that we require them
> to.
> > Unfortunately, it doesn't work if you're using single sign-on, such as a
> > CAS server, as we are. It's documented not to work, so it's not a bug,
> but
> > it's unfortunate. So you (as a user) can set up the Google Authenticator
> > for your GAE account, but if your domain is using single sign-on, you'll
> > never actually be prompted to use the Authenticator to sign in. :-(
> >
> >
> >
> >
> > --
> >
> > *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY
> >
> > *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011
> >
> > +1 212 229-5300 x4728 • david.curry () newschool edu
> >
> >
> >
> > On Thu, Sep 5, 2013 at 12:26 PM, Dennis Bolton <bolton () oakland edu>
> wrote:
> > > We too are seeing an increase in compromised Gmail accounts.  With the
> > > compromise limited to the Gmail side (e.g. we have the credentials
> trying
> > > to be used against other services).  We also have not yet turned on
> > > two-factor authentication for our Google Apps domain and would be
> hearing
> > > feedback.
> > >
> > > Dennis Bolton
> > > Network Security Analyst
> > > Oakland University
> > > 248-370-4803
> > > bolton () oakland edu
> > >
> > >
> > > On Thu, Sep 5, 2013 at 12:15 PM, Peter Setlak <psetlak () colgate edu>
> wrote:
> > > > All,
> > > >
> > > > We are being hit with a number of compromised student Gmail accounts.
> We
> > > > have not yet turned on two-factor authentication for our Google Apps
> > > > domain. Has anyone here enabled this feature? Did users take to it?
> Was it
> > > > mandatory or optional? How extensive was your campaign and
> communications
> > > > to end-users? Were there major caveats, issues, etc? Has anyone
> implemented
> > > > other solutions to combat this (or similar) issues?
> > > >
> > > > --
> > > > Thank you,
> > > >
> > > > Peter J. Setlak
> > > > Managing Director, Networks, Systems & Operations
> > > > Network Security Analyst, GSEC, GLEG
> > > > Colgate University
> > > > ---
> > > > psetlak () colgate edu
> > > > (315) 228-7151
> > > > Case-Geyer 180H (NSO Suite)
> > > > skype: petersetlak
> > > >
> > > > Think *Green!* Please consider the environment before printing this
> > > > email.
> > > >
> > > > *Engage with Colgate University:
> > > > *
> > > > News blog <http://blogs.colgate.edu/>, Twitter<
> https://twitter.com/#%21/colgateuniv>
> > > > , Facebook <https://www.facebook.com/colgateuniversity>, Google+<
> https://plus.google.com/u/0/b/113333907606560373469/>
> > > > , Delicious <http://www.delicious.com/colgatenewsmakers>, YouTube<
> http://www.youtube.com/cuatchannel13>
> > > > , Flickr <http://www.flickr.com/photos/colgateuniversity/>, Pinterest<
> http://pinterest.com/colgateuniv/>
> > > > , LinkedIn <http://www.linkedin.com/company/colgate-university/>
> > >
> > >
> > >
> > > --
> > > Dennis Bolton
> > > Network Security Analyst
> > > Oakland University
> > > 2200 N Squirrel Road Rochester MI 48309
> > > 248-370-4803



-- 
Thank you,

Peter J. Setlak
Managing Director, Networks, Systems & Operations
Network Security Analyst, GSEC, GLEG
Colgate University
---
psetlak () colgate edu
(315) 228-7151
Case-Geyer 180H (NSO Suite)
skype: petersetlak

Think *Green!* Please consider the environment before printing this email.

*Engage with Colgate University:
*
News blog <http://blogs.colgate.edu/>,
Twitter<https://twitter.com/#%21/colgateuniv>
, Facebook <https://www.facebook.com/colgateuniversity>,
Google+<https://plus.google.com/u/0/b/113333907606560373469/>
, Delicious <http://www.delicious.com/colgatenewsmakers>,
YouTube<http://www.youtube.com/cuatchannel13>
, Flickr <http://www.flickr.com/photos/colgateuniversity/>,
Pinterest<http://pinterest.com/colgateuniv/>
, LinkedIn <http://www.linkedin.com/company/colgate-university/>