Re: [External] Re: [SECURITY] 2 factor authentication

["Gregg, Christopher S." <csgregg () STTHOMAS EDU>]

We’re heading down a similar path with Microsoft MFA.

We have it enabled for everyone using Office365 as well as a number of apps connected to ADFS such as Banner (Admin and 
very soon Self-Service) and Salesforce.  The plan is to enable MFA for other services connected to ADFS, and keep 
migrating services to ADFS that aren’t already.

I am intrigued by the mention below of using MFA as identity verification at the help desk, since that is always a 
challenge.  I’d like to hear more about how you do that and if your solution would be Duo specific.

Thanks,

Chris


Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Information Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | stthomas.edu<https://www.stthomas.edu>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Gonzalez, Joshua
Sent: Tuesday, June 11, 2019 9:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [External] Re: [SECURITY] 2 factor authentication

We implemented Duo campus wide for faculty, staff, and students on all Shib, CAS, and ADFS authenticated applications.  
It’s been a multi-year project that included 100+ applications like blackboard, VPN, 0365, outlook, webex, syncplicity, 
jira, confluence, etc..  It’s significantly cut down on the ability to exploit compromised accounts.  I can’t stress 
enough in our case how communication and testing was a key to our success.





Joshua Gonzalez, CCNA R&S, Data Center, Network+, GCE
Director of Infrastructure and Research Computing
O  361.825.2576  C  361.800.3264
W 
https://it.tamucc.edu<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fit.tamucc.edu%2F&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cce3abb52eef7433c20a508d6ee76e956%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636958591865800334&sdata=3Lgh%2FejcbRfCkd73lx%2BHtI3E6S0H%2FK9C8IcnwNPRL30%3D&reserved=0>
  E  joshua.gonzalez () tamucc edu<mailto:joshua.gonzalez () tamucc edu>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Cavender, Terry L
Sent: Tuesday, June 11, 2019 8:11 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] 2 factor authentication

We are using Aruba for our wireless access point.  Aruba Clearpass is providing the authentication.

Best,
_________________________
Terry Cavender CISA, PMP, CCSA, ACE (Palo Alto) |  Information Technology | Vanderbilt University
Oak Leaf Society Ambassador | terry.cavender () vanderbilt edu<mailto:terry.cavender () vanderbilt edu> | phone 
615.343.3494 | I do.  Not Try.  Do.
Did you know? VUIT offers help, training, discounts and more at 
it.vanderbilt.edu<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fit.vanderbilt.edu%2F&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cce3abb52eef7433c20a508d6ee76e956%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636958591865805329&sdata=pFGSFohCykxi1%2BpQM%2BEgVB61g7q8Cwk%2FhEG5eYlxjuc%3D&reserved=0>
[Screen shot 2013-06-25 at 7.31.46 AM.png]

From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, 
Ronald A.
Sent: Tuesday, June 11, 2019 7:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] 2 factor authentication

This is a great thread as we are beginning our testing of Duo for deployment over the next year. Questions though: Is 
anyone using id for wireless/RADIUS authentication?

Thanks,
Ron

Ronald King
Chief Information Security Officer

Office of Information Technology
(757) 823-2916 (Office)
raking () nsu edu<mailto:raking () nsu edu>
www.nsu.edu<http://www.nsu.edu/>
@NSUCISO (Twitter)
[NSU_logo_horiz_tag_4c - Smaller]

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Brian Epstein
Sent: Friday, June 7, 2019 10:15 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] 2 factor authentication

For everyone that has a smartphone, we will user it for the verification portion.  For the edge cases, we will have to 
come up with something else.  We are looking at implementing it everywhere we can over the next 12-24 months.  I heard 
a great talk on this at the Educause Security 19 conference.  The discussion was around implementing it everywhere that 
is possible so you don't have to manage which service/role warrants MFA.  That really spoke to me as the management and 
decision making process can be daunting.  If you decide to use it everywhere, though, the only thing you have to manage 
is your users, who will be getting used to it anyway.  Might not be suitable for all organizations, but it makes a lot 
of sense to me.

Thanks,
Brian
--
Brian Epstein <bepstein () ias edu<mailto:bepstein () ias edu>>                     +1 609-734-8179
Manager, Network and Security           Institute for Advanced Study
Key fingerprint = A6F3 9F5A 26C5 5847 79ED  C34C C0E5 244A 55CA 2B78

On Fri, Jun 7, 2019, 16:42 Brian Clark <brian.clark () caspercollege edu<mailto:brian.clark () caspercollege edu>> 
wrote:
Hi Brian,

Are you going to use Duo push for everyone on campus?

On Fri, Jun 7, 2019 at 2:33 PM Brian Epstein <bepstein () ias edu<mailto:bepstein () ias edu>> wrote:
We are going to start using Duo push to verify user identities over the
phone.  Except, of course, when the issue is with Duo Security.  We are
still trying to figure that one out. :)

Thanks,
ep

On 6/7/19 2:45 PM, Jenny Blaine wrote:
> Yes. We have it in front of Shibboleth auth. Duo is our provider. It
> has been opt-in for gmail and other non-Enterprise solutions. However,
> we are going to make it obligatory for everyone, students & staff,
> beginning November 1, 2019.
>
> Hope this helps!
>
> Jenny B.
>
> On Fri, Jun 7, 2019 at 12:36 PM Brian Clark
> <brian.clark () caspercollege edu<mailto:brian.clark () caspercollege edu>> wrote:
> > Is anyone using 2F for anything other than remote services or systems?
> > --
> > Brian Clark
> > Systems Programmer
> > Casper College
> > 125 College Drive
> > Casper WY 82601
> > brian.clark () caspercollege edu<mailto:brian.clark () caspercollege edu>



--
Brian Epstein <bepstein () ias edu<mailto:bepstein () ias edu>>                     +1 609-734-8179
Manager, Network and Security           Institute for Advanced Study
Key fingerprint = A6F3 9F5A 26C5 5847 79ED  C34C C0E5 244A 55CA 2B78
--
Brian Clark
Systems Programmer
Casper College
125 College Drive
Casper WY 82601
brian.clark () caspercollege edu<mailto:brian.clark () caspercollege edu>