Educause Security Discussion mailing list archives
Re: [External] [SECURITY] Duo/2FA exemption policies
From: "Gregg, Christopher S." <csgregg () STTHOMAS EDU>
Date: Wed, 14 Aug 2019 13:14:19 +0000
When we first rolled out MFA (Microsoft version), hardware tokens weren’t an option so we exempted people who claimed to not have a cell phone (and a couple who argued about not wanting to use a personal phone for work). In the end that was about 40 people out of 28,000 account holders. We’re now in the process of deploying tokens to those people, so essentially we won’t have any exceptions soon. We also have a process in place to allow the help desk to temporarily disable MFA for people who are in the process of replacing a lost/broken phone, but I assume you are looking for ongoing/long-term exceptions. We don’t have these exceptions in print as part of a policy other than the general disclaimer that the CISO or a delegate should be contacted for any exceptions to the Data Security Standards policy, which states that all Red and Yellow data systems should be protected by MFA. Thanks, Chris Chris Gregg Associate Vice President of Information Security & Risk Management, CISO Innovation & Technology Services (ITS) csgregg () stthomas edu<mailto:csgregg () stthomas edu> p 1 (651) 962-6265 University of St. Thomas | stthomas.edu<https://www.stthomas.edu/> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Kristen Dietiker Sent: Tuesday, August 13, 2019 6:07 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [External] [SECURITY] Duo/2FA exemption policies I'm interested in knowing the circumstances under which other institutions exempt users from 2FA requirements. If you have a policy or standard operating procedure covering this, I'd appreciate the share. Thank you! Kristen Dietiker Chief Information Security Officer Santa Clara University (408) 554-5554 _______________________________________________________________ Duo 2-Factor Authentication is coming! Learn more at https://www.scu.edu/duo<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.scu.edu%2Fduo&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cc52e6fa654de4ed4d3dc08d720430296%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637013344506896446&sdata=uwPm2XD6GYdKEb1xnUF6%2FW%2BcZfRYmqKzqIJsc5szncw%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cc52e6fa654de4ed4d3dc08d720430296%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637013344506896446&sdata=peH4jw%2FBk42Owcqs4rzVg1YyYc2gX0cgGQRWNtRh94c%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Duo/2FA exemption policies Kristen Dietiker (Aug 13)
- Re: Duo/2FA exemption policies Orlando Leon (Aug 13)
- Re: [EXTERNAL] [SECURITY] Duo/2FA exemption policies Bandy, John (Aug 14)
- Re: Duo/2FA exemption policies James Farr (Aug 14)
- Re: [External] [SECURITY] Duo/2FA exemption policies Gregg, Christopher S. (Aug 14)
- Re: [External] [SECURITY] Duo/2FA exemption policies Phill Moran (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Gene LeDuc (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Gregg, Christopher S. (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Valdis Klētnieks (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Gene LeDuc (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Valdis Klētnieks (Aug 14)
- Message not available
- Re: [Ext] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies John Kristoff (Aug 14)
- Re: [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies Phill Moran (Aug 14)