Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA

["Telfer, Will" <Will_Telfer () BAYLOR EDU>]

At Baylor University we also elected to go with Duo, but we did trial Microsoft Authenticator for some email accounts 
to see how it functioned (at the time we elected to integrate Office 365 with Duo so that users did not have to learn a 
new MFA system). When we first instituted Duo, we provided Duo Hardware Tokens to the less than 10 Faculty & Staff that 
did not have a mobile device. Currently, our campus bookstore offers them for sale & we only provide them in 
emergencies (usually the Help Desk assigns a Bypass Code unless there is some long term circumstance requiring a 
permanent token). In those instances I recommend a U2F device first as they are a bit cheaper than the Duo Hardware 
Tokens. Since we allow phone call, as well as SMS passcode authentication, we have not had too many issues with folks 
being able to use Duo to log into our 60+ services (including Office 365, which includes email).

Thank You,
Will Telfer, M.S.
Information Security Analyst
Information Technology Services

Follow BaylorITS & look for the #BearAware:
Twitter: @BaylorITS
Facebook: facebook.com/BaylorITS
Website: baylor.edu/BearAware

[BU_e-signature]

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ravi Kotecha
Sent: Tuesday, May 12, 2020 9:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [EXTERNAL] [SECURITY] FIDO2 keys and MFA

[EXTERNAL MESSAGE]
Hi Beth,

At Brandeis, we are using DUO and chose to offer hardware tokens that generate a one-time passcode instead of the 
YubiKey option. The hardware tokens cost about $20 each and we have decided it's a cost of doing business and any 
faculty, staff, or student can request one, at no cost to them. It is not widely advertised, but offered if someone 
expresses concern over the other 2fa options.

The YubiKeys are great for USB capable devices, but since many users use mobile devices, the tokens were a better 
option for us. One reason we made the tokens available to anyone who asked was so that it was not a symbol of being low 
income. It also takes care of study abroad situations, and we did mail out tokens in those cases but since students 
were on campus when we enabled 2fa, the mailing situations were few and far between.

Best,
Ravi
--
Ravi Kotecha '10, M.S. '14, M.S. '20
Privacy & Information Security Analyst
Information Technology Services
x67284 | security () brandeis edu<mailto:security () brandeis edu>
[A button with "Hear my name" text for name playback in email 
signature]<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.name-coach.com%2Fravi-kotecha&data=01%7C01%7CWill_Telfer%40BAYLOR.EDU%7C8c9af78d697f4c5f001108d7f680fde5%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C0&sdata=IkngwOuqlduKWNOWtTpbtgTspRdvK%2BV1MxAHkbLXE2U%3D&reserved=0>


On Mon, May 11, 2020 at 9:02 PM Beth Albertson <albertb3 () wwu edu<mailto:albertb3 () wwu edu>> wrote:
We are in the process of implementing Azure MFA for our staff and students.  We have a small percentage of students 
without smart phones, and would like to offer them the option of using a FIDO2 key.  I was wondering if other 
Universities are using FIDO2 keys, and if so, who is picking up the cost?  Are students expected to buy their own 
device?  Also, we, like most Universities are all online during the Covid crisis, so it seems we would have to mail the 
FIDO2 keys to users if we pick up the cost.  Thank you in advance for any information you can provide.

Sincerely,

Beth Albertson, CISSP®, PMP®
Director of Information Security
Western Washington University
beth.albertson () wwu edu<mailto:beth.albertson () wwu edu>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fwww.educause.edu%2Fcommunity__%3B!!DaRZpAeNFA!M4vdDdcgk_1fNNyZV2ZCY-mUPsv4g0OidyLbira4z8z7UaPkO55iBpjfCs8NeaOfBnk%24&data=01%7C01%7CWill_Telfer%40BAYLOR.EDU%7C8c9af78d697f4c5f001108d7f680fde5%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C0&sdata=Xrdu7aL90OkEaFXCS91fSqowWuIdK96X5qQLv0qDzSs%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=01%7C01%7CWill_Telfer%40BAYLOR.EDU%7C8c9af78d697f4c5f001108d7f680fde5%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C0&sdata=rdLfFXIGqqO%2FsSq1SNby5EtzMUhZuZK7R2OIzeKq%2FUM%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community