Educause Security Discussion mailing list archives
Re: Duo Security concern -- EDU support requested
From: "Romig, Steve" <romig.1 () OSU EDU>
Date: Tue, 26 Apr 2016 13:23:37 +0000
Hey there, hope you're doing well! Can I forward this to our duo team? I can remove identifying info if you'd prefer. --- Steve
On Apr 26, 2016, at 8:47 AM, Cam Beasley <cam () UTEXAS EDU> wrote: [ATTN: Duo Security campuses] colleagues - i wanted to share something we’ve discovered in our deployment of Duo in hopes that more attention from customers will help motivate the vendor to address an important security gap. Duo has tentatively projected a solution for late-2017, but has said that more feedback from EDU customers would allow them to bump it up on their development schedule. ————- issue ————- based on our testing, there is significant security gap around user notification for certain Duo events. these Duo events provide NO user communication and we believe users should have an option of being kept in the loop: - user registration - user de-registration - user status changed to active status - user status changed to bypass status - user status changed to disabled status - user status changed to locked out status this issue is made worse by the fact that many of these events are not reflected directly in the logs Duo generates. as a result, there are very limited options for us to ensure the security of our users for these types of events. ————- action ————- if you agree that this is a gap you would like for Duo to address sooner than 18-mos from now, then please reach out to your respective Duo representative as soon as possible. please let me know if you have any questions. thanks very much for your help, ~cam. -- Cam Beasley Chief Information Security Officer Information Security Office The University of Texas at Austin security () utexas edu | 512.475.9242 http://security.utexas.edu ======================================= https://www.facebook.com/utaustiniso https://twitter.com/UT_ISO =======================================
Current thread:
- Duo Security concern -- EDU support requested Cam Beasley (Apr 26)
- Re: Duo Security concern -- EDU support requested Romig, Steve (Apr 26)
- Re: Duo Security concern -- EDU support requested Cam Beasley (Apr 26)
- Re: Duo Security concern -- EDU support requested Kevin Wilcox (Apr 26)
- Re: Duo Security concern -- EDU support requested Steve Bohrer (Apr 26)
- Re: Duo Security concern -- EDU support requested Cam Beasley (Apr 26)
- Re: Duo Security concern -- EDU support requested Cam Beasley (Apr 29)
- Re: Duo Security concern -- EDU support requested Brad Judy (Apr 29)
- Re: Duo Security concern -- EDU support requested Romig, Steve (Apr 26)