Re: Protecting workstations with Duo

["Scantlin, Aaron J." <ScantlinA () MISSOURI EDU>]

I disagree; I am much more apt to leaving my phone somewhere than I am my keys (where my YubiKey lives).  That said, I 
imagine there are plenty of people where the opposite is true, so as Rich said, choose a solution that provides an 
acceptable balance of security and usability WRT your organization’s workflow.

FWIW, I really like using the YubiKey as a second factor for Windows login… if the key is not inserted, the user 
attempting to login will get an authentication error, but it doesn’t tell you that it’s because you’re missing the 
YubiKey.  Another handy trick a fellow MU employee shared with me is creating a “password prefix” that only you know 
and configuring the second mode (3 second press) on the YubiKey to be a long, random string; you can then set your 
password as the concatenation of your password prefix and YubiKey mode two output… I refer to it as 1.5 FA. ;)

Aaron J. Scantlin
Security Analyst, Division of IT
GSEC, GCFA
University of Missouri, Columbia
(W) +1-573-884-7555
(C)   +1-573-424-0539
scantlina () missouri edu<mailto:scantlina () missouri edu>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rich 
Graves
Sent: Wednesday, June 7, 2017 1:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Protecting workstations with Duo

The nice thing about many of the typical Duo factors is that they are slightly less likely to be stolen or left 
unattended than a Yubikey or smartcard. Of course, if you allow voice call to your desktop phone as a backup factor, 
which is something that we actually recommend to most people for pretty good reasons, that's not going to protect your 
desktop computer. Regardless, make sure the security/usability ratio is meaningfully positive.

On Wed, Jun 7, 2017 at 1:24 PM, randy <marchany () vt edu<mailto:marchany () vt edu>> wrote:
I use Yubikey as my standalone 2nd factor (no duo). I have it tied to my local accounts on my laptops (standalone). THe 
yubico setup is pretty straightforward to set up.
-r.

On Wed, Jun 7, 2017 at 1:23 PM, Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote:
I'm curious if anyone has deployed (or is thinking of deploying) MFA on their workstation logins via Duo.  It looks 
like it can be done, but it isn't very straight-forward.  It requires a local workstation client, and to manage the 
users via Group policy.

Our goal is to require MFA for admin accounts only (for now).  I'm wondering if anyone has already deployed this.  
Thanks!

----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221<tel:(845)%20437-7221>