Educause Security Discussion mailing list archives
Re: Seeking insights on Two-factor Authentication roll-out from those who implemented at their campuses
From: Don Murdoch <djmurd () COX NET>
Date: Wed, 3 Jun 2015 10:21:33 -0400
Greetings. Some thoughts from the commercial sector… Fortune 500. General – we chose Entrust Identity guard for a F/500 org who needed graduated roll out by user population. Key factors included: a) The ability to put a PDF based 2FA “card” into the hands of a user, where the user self enrolled on the inside of the network (protected site, more or less) and then they could use the token outside. Other solutions capable – plastic card, smart card, fob. The PDF option made for a nearly zero cost deployment when coupled with good directions, an email campaign, zero cost/quick “reissue” process through self-enrollment site, and individualized security questions. b) The 2FA grid is a NxN card – suggested 4x8 to 6x12. It has numbers down the side and letters across the top. On an integrated site -> the user is prompted to enter the grid coord’s during authentication process. For example, prompt the user for I1, B3, C4. They then type in the letter – say Z, 4, G. c) In our case, they needed to auth to A.D. first (multiple domains in play), and then answer the grid prompt. SO – you needed an active account, and then the active 2FA device. Therefore we captured a “real login”, and then a supplemental authentication. This allowed us to have great “where did they come from” logging before full admittance. d) ON the grid – we chose 5x10 because that print size was the most we could get and be readable by a person with 20/60 vision. e) IDG supports a “secondary email address” for users have their grid sent, aside from their work email address. This had s particular advantage. Users can send the 2FA grid to home email addy, and then read home mail on phone, store the PDF on smart phone. Very handy. Also solves the “how do I get my grid again” problem nicely. f) The solution supported checking an AD group, or some other AD attribute, to determine if an integrated site/solution would perform the 2FA prompt. This was beneficial as we could “add” users to the solution over time. 1. What provider did you select (Duo, Vasco, others)? Entrust Identity Guard, experience with RSA using both soft and physical tokens. 2. Did you implement two-factor across all systems or just selected systems? Entrust IDG – remote access via Citrix for Internet accessible usersbase was the primary use case. RSA – most of the UC’s defined by RSA are in use. No negatives observed as a consumer of same. 3. If you are using a hosted email solution (such as Google Apps or Office 365), did you include that in your two-factor roll-out? 4. Did you include all faculty and staff or just selected users? In our case, the FTE population is in scope. That’s 7,000+ users for the Entrust IDG, and a whopping number for the RSA piece. 5. Did you include students or allow for “student opt-in?” 6. For ongoing two-factor administration, what level of staffing has it required? My experience in the commercial space is that graduated roll out is labor intensive. You need to understand how to do this for your org. It was very much worth trying to define the user population who received the E/IDG token and the RSA token. Then you need to *clearly* have process for end users to *quickly* get a new “device”. If you don’t work that out ahead of time you will be in very unhappy land. 7. Based on your roll-out experience, what key bit of advice might you offer to those of us considering this move? From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Skill Sent: Wednesday, June 03, 2015 9:43 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Seeking insights on Two-factor Authentication roll-out from those who implemented at their campuses Mary Thanks for this post - As I gather responses, I be sure to share insights. Tom Thomas Skill, Ph.D. Associate Provost & CIO Professor of Communication Office (937) 229-3511 Fax (937) 229-4044 eMail: skill () udayton edu <mailto:tskill1 () udayton edu> Twitter: @skilltd <https://twitter.com/skilltd> Linkedin: http://www.linkedin.com/in/skilltd UDit University of Dayton 300 College Park Dayton, OH 45469-2230 On Tue, Jun 2, 2015 at 6:24 PM, Dunker, Mary <dunker () vt edu <mailto:dunker () vt edu> > wrote: Tom, Virginia Tech has not deployed a solution yet, but we have considered many of the same questions you list, so maybe it will be useful to share our thinking so far... 1. What provider did you select (Duo, Vasco, others)? Nothing purchased yet, but Duo looks like it will be the front runner for us. 2. Did you implement two-factor across all systems or just selected systems? We will attempt to implement 2-factor across all systems. We are starting by requiring it for applications whose users authenticate with the our NetID via CAS. Next, we plan to include applications that use Windows Active Directory credentials. 3. If you are using a hosted email solution (such as Google Apps or Office 365), did you include that in your two-factor roll-out? We use separate credentials for Google Apps, which already has two-step authentication, so Google Apps is not in scope. I think Office 365 will be in scope. 4. Did you include all faculty and staff or just selected users? All, eventually, but we may start with a limited population. 5. Did you include students or allow for “student opt-in?” Students will be included, not likely optional. 6. For ongoing two-factor administration, what level of staffing has it required? To be determined. 7. Based on your roll-out experience, what key bit of advice might you offer to those of us considering this move? To be determined. We'll be interested in hearing from others as well! Mary ----------------------------------------------------------------- Mary Dunker Director, Secure Enterprise Technology Initiatives Virginia Tech Information Technology 1700 Pratt Drive Blacksburg, VA 24060 540-231-9327 dunker () vt edu <mailto:dunker () vt edu> -------------------------------------------------------------------- -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> ] On Behalf Of Thomas Skill Sent: Tuesday, June 02, 2015 1:55 PM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Seeking insights on Two-factor Authentication roll-out from those who implemented at their campuses Colleagues, At the University of Dayton, we are in the active planning stages for the deployment of Two-Factor Authentication. We’re very interested in hearing from campuses that have deployed two-factor authentication on the following questions: 1. What provider did you select (Duo, Vasco, others)? 2. Did you implement two-factor across all systems or just selected systems? 3. If you are using a hosted email solution (such as Google Apps or Office 365), did you include that in your two-factor roll-out? 4. Did you include all faculty and staff or just selected users? 5. Did you include students or allow for “student opt-in?” 6. For ongoing two-factor administration, what level of staffing has it required? 7. Based on your roll-out experience, what key bit of advice might you offer to those of us considering this move? My apologies for cross-posting this request - I shared this with the CIO list earlier with limited responses. Valerie Vogel from Educause suggested that this list might be a better fit! Thanks Tom Skill Thomas Skill, Ph.D. Associate Provost & CIO Professor of Communication Office (937) 229-3511 <tel:%28937%29%20229-3511> Fax (937) 229-4044 <tel:%28937%29%20229-4044> eMail: skill () udayton edu <mailto:skill () udayton edu> <mailto:tskill1 () udayton edu <mailto:tskill1 () udayton edu> > Twitter: @skilltd <https://twitter.com/skilltd> Linkedin: http://www.linkedin.com/in/skilltd UDit University of Dayton 300 College Park Dayton, OH 45469-2230
Current thread:
- Seeking insights on Two-factor Authentication roll-out from those who implemented at their campuses Thomas Skill (Jun 02)
- Re: Seeking insights on Two-factor Authentication roll-out from those who implemented at their campuses Dunker, Mary (Jun 02)
- Re: Seeking insights on Two-factor Authentication roll-out from those who implemented at their campuses Thomas Skill (Jun 03)
- Message not available
- Re: Seeking insights on Two-factor Authentication roll-out from those who implemented at their campuses Don Murdoch (Jun 03)
- Re: Seeking insights on Two-factor Authentication roll-out from those who implemented at their campuses Dunker, Mary (Jun 02)
- Re: Seeking insights on Two-factor Authentication roll-out from those who implemented at their campuses Brad Judy (Jun 02)
- Re: Seeking insights on Two-factor Authentication roll-out from those who implemented at their campuses Nick Lewis (Jun 03)