Re: MFA - Telephony Credit Usage/Reduction

[Ed Jalinske <0000007d9892d157-dmarc-request () LISTSERV EDUCAUSE EDU>]

Will, Chad, Jerry –

 

Do you have separate policies for University owned devices versus personal devices when disallowing SMS? If so, what 
are they and what is the basic reasoning for each? How have your campus communities responded?

 

Thanks,

 

Ed Jalinske, J.D.
University of Wisconsin-Madison

Office of Cybersecurity

Program Director, Cybersecurity Policy and Education

UW-Madison School of Business

Adjunct Professor, Information Privacy and Security

608.262.3837 (Office)

917.945.0748 (Cell)

ed.jalinske () wisc edu <mailto:ed.jalinske () wisc edu> 



 

 

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jerry Tylutki
Sent: Friday, November 22, 2019 8:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] MFA - Telephony Credit Usage/Reduction

 

We have disallowed SMS as well. 

 

To date we have around 84% push authentication, 7.5% with passcode, and 5.5% that use phone. To date the telephony 
credits haven't become an issue with our implementation. It will be interesting if the percentage changes once in 12-18 
months once users starts to purchase new phones.


 

-------

Jerry Tylutki
Information Security Officer
Hamilton College

(315) 859-4289 -- office

 

*****The contents of this email are CONFIDENTIAL. If you have received this email by mistake, please notify the sender 
and delete the email and its contents.*****

 

 

On Fri, Nov 22, 2019 at 7:23 AM Chad Tracy <ctracy () bates edu <mailto:ctracy () bates edu> > wrote:

Will,

 

I am not sure of the breakdown between the telephone and sms authentication, but we ended up not allowing SMS. I am not 
sure if that is possible for you all.... in the end, folks will take the easiest path they think is available. To that 
end, it is sometimes up to us to give them just one path. 

 

Chad

 

On Thu, Nov 21, 2019 at 2:49 PM Telfer, Will <Will_Telfer () baylor edu <mailto:Will_Telfer () baylor edu> > wrote:

Greetings,

 

At Baylor we are utilizing Duo for MFA & encouraging users to download & enroll with the free Duo Mobile app. I think 
we have decent adoption of the app, as we are consistently seeing  above 70% usage of Duo push as the MFA method each 
month. Duo charges telephony credits for phone call & SMS passcode authentication (the amount of credits varies 
depending  on whether it is a domestic phone number or an international number – if the cost is above 20 credits, that 
method of authentication is not available to users as this is the default setting). Between phone call & SMS passcode 
authentication we have seen our telephony credit usage rise from 6-7k credits used per day when we first implemented 
Duo a couple of years ago to just over 9k per day this month. I know some of this is due to the 60+ services that are 
now protected by Duo (we started with one service & have since increased that total), but does anyone out there have a 
better strategy for trying to lower the telephony credit usage other than emailing users that are not using the Duo 
Mobile app consistently?

 

We suspect at least some of these users have gotten a new device & just haven’t re-connected the Duo Mobile app so they 
are limited to phone or SMS passcode authentication. Usually after I send out a batch of emails there is a temporary 
dip in telephony credit usage as some re-connect the app using the attached instructions to the email. We have a video 
tutorial & the same instructions on our campus Duo website & plan to advertise this when the spring semester starts on 
the basis that new devices may be a popular gift over the semester break.

 

Thank You,

Will Telfer, M.S.

Information Security Analyst

Information Technology Services

 

Follow BaylorITS & look for the #BearAware:

Twitter: @BaylorITS

Facebook: facebook.com/BaylorITS <http://facebook.com/BaylorITS> 

Website: baylor.edu/BearAware <http://baylor.edu/BearAware> 

 



 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community 




 

-- 

Chad Tracy

Director of Information Security, Policy and Compliance

Bates College

207 786-6491

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community 


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: smime.p7s
Description: