Re: [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [External] [SECURITY] Duo/2FA exemption policies

[Gene LeDuc <gleduc () SDSU EDU>]

You can dump a list of OTPs for the user, give them a hardware token, 
other options.  This is not an insurmountable problem unless the user 
chooses to make it one.  If MFA is a requirement, it's a requirement.

Gene

On 8/14/19 3:37 PM, Valdis Kl ē tnieks wrote:
> On Wed, 14 Aug 2019 09:20:45 -0700, Gene LeDuc said:
>
> > If the Duo account doesn't have any devices, then the user logs in with
> > credentials and gets to register a new device, problem solved and no temp
> > bypasses to undo.
>
> How do you deal with the case of "the user's phone died last night, they have
> to get work  done today, and won't be able to actually get a new device for a
> few days"?  Not everybody who has an iPhone has the cash on hand to lay out for
> a new one unexpectedly, and making them obtain a cheap burner phone they don't
> want in order to get their MFA working isn't going to make the security office
> any friends...
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
> person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
> and subscription information can be found at https://www.educause.edu/community

--
Gene LeDuc                 | Any sufficiently advanced technology is
Technology Security        | indistinguishable from a rigged demo.
San Diego State University |   --James Klass

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community