Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA

[Tim Cappalli <00000194c9ecac40-dmarc-request () LISTSERV EDUCAUSE EDU>]

These may help:

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys

tim


 Tim Cappalli | @timcappalli<https://www.twitter.com/timcappalli>

[Microsoft logo]
________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Sabo, Eric 
<sabo_e () CALU EDU>
Sent: Monday, May 18, 2020 09:58
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] [EXTERNAL] [SECURITY] FIDO2 keys and MFA


Does anyone have any recommendation for FIDO hardware keys ?    Are there any recommendation or a list that is support 
by Microsoft ?







From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Beth Albertson
Sent: Tuesday, May 12, 2020 3:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [EXTERNAL] [SECURITY] FIDO2 keys and MFA



[External]: This email originated from outside of California University of Pennsylvania.



Thank you everyone for your advice.  With Azure MFA, there is extra setup by our system administrators for hardware 
tokens, while users can self-enroll with the FIDO2 keys (we are using the combined SSPR and MFA registration).  So, we 
are trying to avoid the hardware tokens, but are using them in some instances.  We are pushing users to use the MS 
Authenticator App as a first choice, which has worked great for us, and can be set up for passwordless authentication.  
We are also concerned about low income students who might not have a smart phone, so thought providing FIDO2 keys at no 
cost might be a good option. We also are supporting MFA with SMS and regular phone calls to any type of phone 
(landline, mobile, office, home).



Thank you Blake for mentioning there may be some limitations with FIDO2 keys such as not being able to use it with 
desktop Teams and Outlook.   I will check out the option you mentioned of using Yubico Authenticator with a Yubico key.



Sincerely,



Beth Albertson, CISSP®, PMP®

Director of Information Security

Western Washington University

beth.albertson () wwu edu<mailto:beth.albertson () wwu edu>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Garrett McManaway
Sent: Tuesday, May 12, 2020 10:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] [EXTERNAL] [SECURITY] FIDO2 keys and MFA



We have used Duo for a while now for employees and are in the process of adding students to Duo for fall semester. We 
have purchased these 
https://shop.ftsafe.us/products/otp-c100-h41<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshop.ftsafe.us%2Fproducts%2Fotp-c100-h41&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4d16129d2ae044ff273f08d7fb34f914%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637254077262416961&sdata=dAGDKRHEkgHokZ9nAap6VyTMeLCb3Gk%2FX0X%2BlblABRQ%3D&reserved=0>
 for about 9 bucks each in bulk to give out to people who complain enough about using their phone (we do not issue 
phones to anyone so all personal devices) or does not have a smart phone. We also lend them out to people who are 
traveling overseas. We do also sell Yubikeys on campus but people rarely buy them.



I normally give these through our help desk that has a customer service area in our Student Center. That is of course 
closed right now like the rest of campus, we have distributed other equipment like chromebooks and hotspots to faculty 
and staff in need through our student food back that has remained open during shutdown. That is not ideal but will be 
my backup plan if we are not open by fall.



Garrett McManaway

CISO & Sr. Director

C&IT - Information Security and Compliance

Wayne State University

Phone: 313-577-3454



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Ravi Kotecha
Sent: Tuesday, May 12, 2020 10:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] [EXTERNAL] [SECURITY] FIDO2 keys and MFA





This is an external email.
Be cautious of links and attachments.



Hi Beth,



At Brandeis, we are using DUO and chose to offer hardware tokens that generate a one-time passcode instead of the 
YubiKey option. The hardware tokens cost about $20 each and we have decided it's a cost of doing business and any 
faculty, staff, or student can request one, at no cost to them. It is not widely advertised, but offered if someone 
expresses concern over the other 2fa options.



The YubiKeys are great for USB capable devices, but since many users use mobile devices, the tokens were a better 
option for us. One reason we made the tokens available to anyone who asked was so that it was not a symbol of being low 
income. It also takes care of study abroad situations, and we did mail out tokens in those cases but since students 
were on campus when we enabled 2fa, the mailing situations were few and far between.



Best,

Ravi

--

Ravi Kotecha '10, M.S. '14, M.S. '20
Privacy & Information Security Analyst

Information Technology Services

x67284 | security () brandeis edu<mailto:security () brandeis edu>

[A button with "Hear my name" text for name playback in email 
signature]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.name-coach.com%2Fravi-kotecha&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4d16129d2ae044ff273f08d7fb34f914%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637254077262426920&sdata=Si98L1XV1It%2Fz9eSEml2o88ubWFACX60TuvJVFW4pR0%3D&reserved=0>





On Mon, May 11, 2020 at 9:02 PM Beth Albertson <albertb3 () wwu edu<mailto:albertb3 () wwu edu>> wrote:

We are in the process of implementing Azure MFA for our staff and students.  We have a small percentage of students 
without smart phones, and would like to offer them the option of using a FIDO2 key.  I was wondering if other 
Universities are using FIDO2 keys, and if so, who is picking up the cost?  Are students expected to buy their own 
device?  Also, we, like most Universities are all online during the Covid crisis, so it seems we would have to mail the 
FIDO2 keys to users if we pick up the cost.  Thank you in advance for any information you can provide.



Sincerely,



Beth Albertson, CISSP®, PMP®

Director of Information Security

Western Washington University

beth.albertson () wwu edu<mailto:beth.albertson () wwu edu>



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwww.educause.edu%2Fcommunity__%3B!!DaRZpAeNFA!M4vdDdcgk_1fNNyZV2ZCY-mUPsv4g0OidyLbira4z8z7UaPkO55iBpjfCs8NeaOfBnk%24&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4d16129d2ae044ff273f08d7fb34f914%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637254077262426920&sdata=83qtDCDqZbFsO7sDdwiTd1YQFZlXSreLSVCnkiRLpy0%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4d16129d2ae044ff273f08d7fb34f914%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637254077262436869&sdata=bh6QZWspLuIE2BAwFug4IkV2nKCBk%2FpHpo%2BsdpTu9jY%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4d16129d2ae044ff273f08d7fb34f914%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637254077262436869&sdata=bh6QZWspLuIE2BAwFug4IkV2nKCBk%2FpHpo%2BsdpTu9jY%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4d16129d2ae044ff273f08d7fb34f914%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637254077262446826&sdata=5ZXkkr4x9ptNBqey%2BIBGugrYuFvtU37zrSNP%2FivYLS8%3D&reserved=0>

________________________________

[Cal U Logo]
The content of this email is confidential and intended only for the recipient(s) specified. If you received this 
message by mistake, please reply so the sender can correct the error, and then delete this email immediately. Do NOT 
forward it to a third party without the written consent of the sender. California University of Pennsylvania is a 
public agency; consequently, this email may be subject to disclosure under the commonwealth’s Right-to-Know Law.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4d16129d2ae044ff273f08d7fb34f914%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637254077262446826&sdata=5ZXkkr4x9ptNBqey%2BIBGugrYuFvtU37zrSNP%2FivYLS8%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community