Re: MFA - Telephony Credit Usage/Reduction

[Chad Tracy <ctracy () BATES EDU>]

Ed -

Like Jerry, we don't distinguish between personal or College devices.

Chad

On Fri, Nov 22, 2019 at 10:50 PM Jerry Tylutki <jtylutki () hamilton edu>
wrote:

> Ed -
> We don't distinguish between personal or University devices, we have SMS
> disallowed for all apps and policies in Duo. SMS was disallowed from the
> beginning, no community pushback going this approach.
>
> On Fri, Nov 22, 2019, 5:34 PM Ed Jalinske <
> 0000007d9892d157-dmarc-request () listserv educause edu> wrote:
>
> > Will, Chad, Jerry –
> >
> >
> >
> > Do you have separate policies for University owned devices versus
> > personal devices when disallowing SMS? If so, what are they and what is the
> > basic reasoning for each? How have your campus communities responded?
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Ed Jalinske, J.D.
> > University of Wisconsin-Madison
> >
> > Office of Cybersecurity
> >
> > Program Director, Cybersecurity Policy and Education
> >
> > UW-Madison School of Business
> >
> > Adjunct Professor, Information Privacy and Security
> >
> > 608.262.3837 (Office)
> >
> > 917.945.0748 (Cell)
> >
> > ed.jalinske () wisc edu
> >
> > [image: Cybersecurity Logo1]
> >
> >
> >
> >
> >
> > *From:* The EDUCAUSE Security Community Group Listserv <
> > SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Jerry Tylutki
> > *Sent:* Friday, November 22, 2019 8:23 AM
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* Re: [SECURITY] MFA - Telephony Credit Usage/Reduction
> >
> >
> >
> > We have disallowed SMS as well.
> >
> >
> >
> > To date we have around 84% push authentication, 7.5% with passcode, and
> > 5.5% that use phone. To date the telephony credits haven't become an issue
> > with our implementation. It will be interesting if the percentage changes
> > once in 12-18 months once users starts to purchase new phones.
> >
> >
> >
> > *-------*
> >
> >
> > *Jerry TylutkiInformation Security Officer*
> > *Hamilton College*
> >
> > *(315) 859-4289 -- office*
> >
> >
> >
> > ******The contents of this email are CONFIDENTIAL. If you have received
> > this email by mistake, please notify the sender and delete the email and
> > its contents.******
> >
> >
> >
> >
> >
> > On Fri, Nov 22, 2019 at 7:23 AM Chad Tracy <ctracy () bates edu> wrote:
> >
> > Will,
> >
> >
> >
> > I am not sure of the breakdown between the telephone and sms
> > authentication, but we ended up not allowing SMS. I am not sure if that is
> > possible for you all.... in the end, folks will take the easiest path they
> > think is available. To that end, it is sometimes up to us to give them just
> > one path.
> >
> >
> >
> > Chad
> >
> >
> >
> > On Thu, Nov 21, 2019 at 2:49 PM Telfer, Will <Will_Telfer () baylor edu>
> > wrote:
> >
> > Greetings,
> >
> >
> >
> > At Baylor we are utilizing Duo for MFA & encouraging users to download &
> > enroll with the free Duo Mobile app. I think we have decent adoption of the
> > app, as we are consistently seeing  above 70% usage of Duo push as the MFA
> > method each month. Duo charges telephony credits for phone call & SMS
> > passcode authentication (the amount of credits varies depending  on whether
> > it is a domestic phone number or an international number – if the cost is
> > above 20 credits, that method of authentication is not available to users
> > as this is the default setting). Between phone call & SMS passcode
> > authentication we have seen our telephony credit usage rise from 6-7k
> > credits used per day when we first implemented Duo a couple of years ago to
> > just over 9k per day this month. I know some of this is due to the 60+
> > services that are now protected by Duo (we started with one service & have
> > since increased that total), but does anyone out there have a better
> > strategy for trying to lower the telephony credit usage other than emailing
> > users that are not using the Duo Mobile app consistently?
> >
> >
> >
> > We suspect at least some of these users have gotten a new device & just
> > haven’t re-connected the Duo Mobile app so they are limited to phone or SMS
> > passcode authentication. Usually after I send out a batch of emails there
> > is a temporary dip in telephony credit usage as some re-connect the app
> > using the attached instructions to the email. We have a video tutorial &
> > the same instructions on our campus Duo website & plan to advertise this
> > when the spring semester starts on the basis that new devices may be a
> > popular gift over the semester break.
> >
> >
> >
> > Thank You,
> >
> > *Will Telfer, M.S.*
> >
> > Information Security Analyst
> >
> > Information Technology Services
> >
> >
> >
> > Follow BaylorITS & look for the #BearAware:
> >
> > Twitter: @BaylorITS
> >
> > Facebook: facebook.com/BaylorITS
> >
> > Website: baylor.edu/BearAware
> >
> >
> >
> > [image: BU_e-signature]
> >
> >
> >
> > **********
> > Replies to EDUCAUSE Community Group emails are sent to the entire
> > community list. If you want to reply only to the person who sent the
> > message, copy and paste their email address and forward the email reply.
> > Additional participation and subscription information can be found at
> > https://www.educause.edu/community
> >
> >
> >
> >
> > --
> >
> > Chad Tracy
> >
> > Director of Information Security, Policy and Compliance
> >
> > Bates College
> >
> > 207 786-6491
> >
> > **********
> > Replies to EDUCAUSE Community Group emails are sent to the entire
> > community list. If you want to reply only to the person who sent the
> > message, copy and paste their email address and forward the email reply.
> > Additional participation and subscription information can be found at
> > https://www.educause.edu/community
> >
> > **********
> > Replies to EDUCAUSE Community Group emails are sent to the entire
> > community list. If you want to reply only to the person who sent the
> > message, copy and paste their email address and forward the email reply.
> > Additional participation and subscription information can be found at
> > https://www.educause.edu/community
> >
> > **********
> > Replies to EDUCAUSE Community Group emails are sent to the entire
> > community list. If you want to reply only to the person who sent the
> > message, copy and paste their email address and forward the email reply.
> > Additional participation and subscription information can be found at
> > https://www.educause.edu/community
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community


-- 
Chad Tracy
Director of Information Security, Policy and Compliance
Bates College
207 786-6491

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community