Educause Security Discussion mailing list archives

Re: a few more 2 factor authentication questions

From: "Telfer, Will" <Will_Telfer () BAYLOR EDU>
Date: Thu, 20 Jun 2019 21:07:29 +0000

I answered below each questions to try to make following the answers a bit easier. The beginning of the transition was 
a bit rough as there was some push back from both faculty/staff & students, but now days most people just accept it as 
a bit of an annoyance that is at least simple to use.

  *   For the systems that use 2-factor (once we install it on shibboleth that will be most of our systems) is it 
mandatory for all faculty, staff, and students?  Maybe an opt-in approach?
     *   We did a gradual rollout as it started on only one system & then about a year later went on everything behind 
Shibboleth; to facilitate the intial rollout we had 8-10 laptops that we took out to various locations on campus & gave 
away Duo themed t-shirts in our school colors for everyone who enrolled on site or showed us they had previously 
enrolled. It is mandatory for all faculty, staff, & students. We did, however, increase our password expiration from 6 
months to 1 year when we moved to using Duo.
  *   If you auto enroll everybody is there an opt out process?
     *   No opt out process for any student, faculty, or staff.
  *   Do you require 2-factor regardless of a user's location?  (It's been suggested that we don't require from on 
campus networks.)
     *   Required from all locations (minus one small group of consultants & employees testing out the new 
implementation of the ERP system that goes live in 2020  but when they are using VPN they must Duo into the VPN just 
not the ERP & one single test account used for demonstrations/instruction based on our current ERP system).
  *   How often do you require 2-factor?  Every login?  Once per day or week, etc....
     *   We allow users to ‘Remember their device for 7 days’ & I have discovered for Office 365 (especially Outlook) 
that 7 days lasts over a month or 2 before I have to re-authenticate via Duo. If they do not select that option by 
checking the box on the Duo authentication screen or are using a different device, then Duo is required for every log 
in.
Thank You,
Will Telfer, M.S.
Information Security Analyst
Information Technology Services

Follow BaylorITS & look for the #BearAware:
Twitter: @BaylorITS
Facebook: facebook.com/BaylorITS
Website: baylor.edu/BearAware

[BU_e-signature]

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Schnitzer, 
Lawrence
Sent: Thursday, June 20, 2019 3:34 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] a few more 2 factor authentication questions


We're in the infancy of rolling out Duo for 2-factor at the University at Buffalo and are pondering policies.  I'm 
wondering what other edu's are doing for the following:

  *   For the systems that use 2-factor (once we install it on shibboleth that will be most of our systems) is it 
mandatory for all faculty, staff, and students?  Maybe an opt-in approach?
  *   If you auto enroll everybody is there an opt out process?
  *   Do you require 2-factor regardless of a user's location?  (It's been suggested that we don't require from on 
campus networks.)
  *   How often do you require 2-factor?  Every login?  Once per day or week, etc....

Thanks.

-Larry

--

Larry Schnitzer

Director

Enterprise Infrastructure Services

University at Buffalo

Current thread:

a few more 2 factor authentication questions Schnitzer, Lawrence (Jun 21)
- Re: a few more 2 factor authentication questions Haselhoff, Brent (Jun 21)
- Re: a few more 2 factor authentication questions Telfer, Will (Jun 21)
- Re: a few more 2 factor authentication questions Francisco Chavez (Jun 21)