Re: a few more 2 factor authentication questions

["Haselhoff, Brent" <brent.haselhoff () WKU EDU>]

We don’t have licenses for students, but for the systems we have Duo enabled, we require it for employees.  We didn’t 
consider an opt-in approach.  I have a feeling that the folks that are most likely to have weak passwords or fall for 
phishing wouldn’t sign up if we did.
We considered not requiring MFA while on-campus, but ultimately decided to require it from everywhere in order to give 
folks the same experience on-campus as off-campus.
We allow folks to “remember this device” for 30 days.

Brent Haselhoff
Manager, IT Security and Identity Management
Western Kentucky University
brent.haselhoff () wku edu<mailto:brent.haselhoff () wku edu>
270-745-2012

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Schnitzer, 
Lawrence
Sent: Thursday, June 20, 2019 3:34 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] a few more 2 factor authentication questions

** This message originated from outside WKU. Always use caution following links. **

We're in the infancy of rolling out Duo for 2-factor at the University at Buffalo and are pondering policies.  I'm 
wondering what other edu's are doing for the following:

  *   For the systems that use 2-factor (once we install it on shibboleth that will be most of our systems) is it 
mandatory for all faculty, staff, and students?  Maybe an opt-in approach?
  *   If you auto enroll everybody is there an opt out process?
  *   Do you require 2-factor regardless of a user's location?  (It's been suggested that we don't require from on 
campus networks.)
  *   How often do you require 2-factor?  Every login?  Once per day or week, etc....

Thanks.

-Larry

--

Larry Schnitzer

Director

Enterprise Infrastructure Services

University at Buffalo