Educause Security Discussion mailing list archives
Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA
From: Tim Cappalli <00000194c9ecac40-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Mon, 18 May 2020 14:15:52 +0000
These may help: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys tim Tim Cappalli | @timcappalli<https://www.twitter.com/timcappalli> [Microsoft logo] ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Sabo, Eric <sabo_e () CALU EDU> Sent: Monday, May 18, 2020 09:58 To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] [EXTERNAL] [SECURITY] FIDO2 keys and MFA Does anyone have any recommendation for FIDO hardware keys ? Are there any recommendation or a list that is support by Microsoft ? From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Beth Albertson Sent: Tuesday, May 12, 2020 3:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] [EXTERNAL] [SECURITY] FIDO2 keys and MFA [External]: This email originated from outside of California University of Pennsylvania. Thank you everyone for your advice. With Azure MFA, there is extra setup by our system administrators for hardware tokens, while users can self-enroll with the FIDO2 keys (we are using the combined SSPR and MFA registration). So, we are trying to avoid the hardware tokens, but are using them in some instances. We are pushing users to use the MS Authenticator App as a first choice, which has worked great for us, and can be set up for passwordless authentication. We are also concerned about low income students who might not have a smart phone, so thought providing FIDO2 keys at no cost might be a good option. We also are supporting MFA with SMS and regular phone calls to any type of phone (landline, mobile, office, home). Thank you Blake for mentioning there may be some limitations with FIDO2 keys such as not being able to use it with desktop Teams and Outlook. I will check out the option you mentioned of using Yubico Authenticator with a Yubico key. Sincerely, Beth Albertson, CISSP®, PMP® Director of Information Security Western Washington University beth.albertson () wwu edu<mailto:beth.albertson () wwu edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Garrett McManaway Sent: Tuesday, May 12, 2020 10:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] [EXTERNAL] [SECURITY] FIDO2 keys and MFA We have used Duo for a while now for employees and are in the process of adding students to Duo for fall semester. We have purchased these https://shop.ftsafe.us/products/otp-c100-h41<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshop.ftsafe.us%2Fproducts%2Fotp-c100-h41&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4d16129d2ae044ff273f08d7fb34f914%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637254077262416961&sdata=dAGDKRHEkgHokZ9nAap6VyTMeLCb3Gk%2FX0X%2BlblABRQ%3D&reserved=0> for about 9 bucks each in bulk to give out to people who complain enough about using their phone (we do not issue phones to anyone so all personal devices) or does not have a smart phone. We also lend them out to people who are traveling overseas. We do also sell Yubikeys on campus but people rarely buy them. I normally give these through our help desk that has a customer service area in our Student Center. That is of course closed right now like the rest of campus, we have distributed other equipment like chromebooks and hotspots to faculty and staff in need through our student food back that has remained open during shutdown. That is not ideal but will be my backup plan if we are not open by fall. Garrett McManaway CISO & Sr. Director C&IT - Information Security and Compliance Wayne State University Phone: 313-577-3454 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Ravi Kotecha Sent: Tuesday, May 12, 2020 10:20 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] [EXTERNAL] [SECURITY] FIDO2 keys and MFA This is an external email. Be cautious of links and attachments. Hi Beth, At Brandeis, we are using DUO and chose to offer hardware tokens that generate a one-time passcode instead of the YubiKey option. The hardware tokens cost about $20 each and we have decided it's a cost of doing business and any faculty, staff, or student can request one, at no cost to them. It is not widely advertised, but offered if someone expresses concern over the other 2fa options. The YubiKeys are great for USB capable devices, but since many users use mobile devices, the tokens were a better option for us. One reason we made the tokens available to anyone who asked was so that it was not a symbol of being low income. It also takes care of study abroad situations, and we did mail out tokens in those cases but since students were on campus when we enabled 2fa, the mailing situations were few and far between. Best, Ravi -- Ravi Kotecha '10, M.S. '14, M.S. '20 Privacy & Information Security Analyst Information Technology Services x67284 | security () brandeis edu<mailto:security () brandeis edu> [A button with "Hear my name" text for name playback in email signature]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.name-coach.com%2Fravi-kotecha&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4d16129d2ae044ff273f08d7fb34f914%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637254077262426920&sdata=Si98L1XV1It%2Fz9eSEml2o88ubWFACX60TuvJVFW4pR0%3D&reserved=0> On Mon, May 11, 2020 at 9:02 PM Beth Albertson <albertb3 () wwu edu<mailto:albertb3 () wwu edu>> wrote: We are in the process of implementing Azure MFA for our staff and students. We have a small percentage of students without smart phones, and would like to offer them the option of using a FIDO2 key. I was wondering if other Universities are using FIDO2 keys, and if so, who is picking up the cost? Are students expected to buy their own device? Also, we, like most Universities are all online during the Covid crisis, so it seems we would have to mail the FIDO2 keys to users if we pick up the cost. Thank you in advance for any information you can provide. Sincerely, Beth Albertson, CISSP®, PMP® Director of Information Security Western Washington University beth.albertson () wwu edu<mailto:beth.albertson () wwu edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwww.educause.edu%2Fcommunity__%3B!!DaRZpAeNFA!M4vdDdcgk_1fNNyZV2ZCY-mUPsv4g0OidyLbira4z8z7UaPkO55iBpjfCs8NeaOfBnk%24&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4d16129d2ae044ff273f08d7fb34f914%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637254077262426920&sdata=83qtDCDqZbFsO7sDdwiTd1YQFZlXSreLSVCnkiRLpy0%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4d16129d2ae044ff273f08d7fb34f914%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637254077262436869&sdata=bh6QZWspLuIE2BAwFug4IkV2nKCBk%2FpHpo%2BsdpTu9jY%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4d16129d2ae044ff273f08d7fb34f914%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637254077262436869&sdata=bh6QZWspLuIE2BAwFug4IkV2nKCBk%2FpHpo%2BsdpTu9jY%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4d16129d2ae044ff273f08d7fb34f914%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637254077262446826&sdata=5ZXkkr4x9ptNBqey%2BIBGugrYuFvtU37zrSNP%2FivYLS8%3D&reserved=0> ________________________________ [Cal U Logo] The content of this email is confidential and intended only for the recipient(s) specified. If you received this message by mistake, please reply so the sender can correct the error, and then delete this email immediately. Do NOT forward it to a third party without the written consent of the sender. California University of Pennsylvania is a public agency; consequently, this email may be subject to disclosure under the commonwealth’s Right-to-Know Law. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4d16129d2ae044ff273f08d7fb34f914%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637254077262446826&sdata=5ZXkkr4x9ptNBqey%2BIBGugrYuFvtU37zrSNP%2FivYLS8%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- FIDO2 keys and MFA Beth Albertson (May 11)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Ravi Kotecha (May 12)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Tomassetti, Tina (May 12)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Telfer, Will (May 12)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Garrett McManaway (May 12)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Beth Albertson (May 12)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Sabo, Eric (May 18)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Tim Cappalli (May 18)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Ravi Kotecha (May 12)