Educause Security Discussion mailing list archives
Re: Duo enforcement for students
From: "Chester, Heather" <htomley () LUC EDU>
Date: Mon, 12 Oct 2020 13:50:13 +0000
First off, many thanks to the Educause community for constantly sharing. There was a wealth of information we used to plan our roll-out. We focused on a very collaborative deployment and balancing impact to the Service Desk. See attached/below and use if helpful. We had a roll-out plan over 5 months, for active faculty, staff, students. We also requested Student Development, Deans of Schools, and Leaders of Staff Divisions to identify when would be the best time for their group to enable MFA over a couple weeks (and remind them that anyone could opt-in at any time ahead of time). We enabled groups of people weekly (comm outline below). Due to COVID, we deferred our initial launch plans (Jan thru May, now May-Sept). Overview Pilot with internal IT teams (2 or 3 enablement’s) Pilot “friendly” operations non-IT groups that use ITS service often (to gain a wider university perspective) Presented the launch of MFA to the Cabinet (and sent additional communications to Dean’s Council of this initiative) and Global Comm to University this would be required Sought partnership with Student Development, Deans of Schools, and Leaders of Staff Divisions when would be best for their areas to be enabled during this timeframe (gave 2 weeks to respond. Goal was to have all groups scheduled within 2-3 weeks & deploy over 4 mo’s). Roll-out over 4 months, first with faculty after graduation (May/June), then staff (June and July), then students (June/July/early August). Moved all inactive accounts over the course of the deployment, or new accounts as they were enabled. Communicated through 5-7 unique channels (faculty, staff, and student) encouraging self-enrollment (even before required by scheduled group dates, which drove adoption). Had video’s, we have detailed step-by-step instructions, and FAQ’s on the website, and offered weekly Zoom Drop-In sessions on Monday & Tuesday (and offered individuals to schedule a 1-1 walk thru with Info Security Office) Weekly Enablement’s Example, on Monday 6/1 we emailed individuals mentioning they would be enabled the following Wednesday 6/10 at 9am (which gave users 10 days to self-enroll) Example, on Monday 6/8 we emailed individuals mentioning they would be enabled the following Wednesday 6/10 at 9am (which gave users 2 days to self-enroll) Example, on Tuesday 6/9 we emailed individuals mentioning they would be enabled the following Wednesday 6/10 at 9am (which gave users 1 day to self-enroll, final reminder) Due to COVID, we changed our deployment, however, the increased security for our online community was important to everyone so the timing did not matter as much. We did still take into consideration, avoiding Students, Faculty, and Student Service (Bursar, Reg&Rec, etc) around 2 weeks before & after start of school, which was preferred. We avoided staff around start of school too and avoided staff around annual enrollment (as part of our initial planning) or end of year around 2 weeks before & after end of year, that is preferred. Thank you, Heather Heather Tomley Chester, MBA, MEd, PMP, ITIL, MSIT (Spring 2021) ITS Sr. Project Manager Loyola University of Chicago [LUC 150 logo] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of randy Sent: Friday, October 9, 2020 4:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Duo enforcement for students We picked a July 5, 2016 as our cutover date for everyone (F/S/S). We had a voluntary 6 month cutover period prior to that (1/2016-6/2016) where anyone could switch over before the official switchover date. -Randy Marchany VA Tech IT Security Office & Lab On Fri, Oct 9, 2020 at 4:31 PM Kristen Dietiker <000001c25973bc27-dmarc-request () listserv educause edu<mailto:000001c25973bc27-dmarc-request () listserv educause edu>> wrote: For those institutions that require Duo or some other multi-factor auth for students, how did you time the enforcement in terms of the academic calendar? Summer? Winter or Spring break? When classes were in session? And would you keep that choice if given a do-over? Thank you! -- Kristen Dietiker Chief Information Security Officer Santa Clara University (408) 554-5554 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Attachment:
Two Factor Lessons Learned - EDUCAUSE.pdf
Description: Two Factor Lessons Learned - EDUCAUSE.pdf
--- Begin Message --- From: Chad Schonewill <cschonewill () COLORADOCOLLEGE EDU>
Date: Mon, 10 Feb 2020 15:25:06 +0000
1. How far in advance did you begin communicating this coming change to students, and via which mediums (email, social, portal injection pages, etc.)? We let students know it was coming months in advance in a general way as we were working on faculty and staff. Once we started on students, we’d send them an email about 1 week prior to their account getting automatically enrolled letting them know about that deadline and pointing them to the self-enrollment link. 2. Did you add all students at once, or did you use a staged approach (opt-in period, segmented populations, etc.)? We started with a batch of 50 students to see how that went, and then the next batch was 100, the next was 200, etc. until the final batch of about 400. 3. What MFA options do your students have (token, app/push notifications, others)? Push notifications in the app / texted code on their phones / token (very few took advantage of the token) 4. Do your students retain their accounts after graduation, and if so, how do you handle this with regard to Duo? Do they remain enrolled? They do retain their accounts after graduation. We have an automated process that runs for graduates which makes changes to their accounts – one of those changes it to remove them from Duo. 5. Did you receive a large amount of pushback from students? What were your main complaints? We did not receive a large amount of pushback, but we heard through the grapevine that students complained to each other and to faculty. Basically they just didn’t like the idea of the extra step. We had some spoonfulls of sugar to help the medicine go down, though (such as removing forced password resets every 6 months once peoples’ accounts were protected by Duo). 6. What LMS do you use, and how is Duo integrated with your LMS? Canvas, which we have integrated with our single sign-in (CAS). Since Duo applies to all CAS apps, nothing special had to happen for Canvas. 7. How do you handle Duo enrollment for new, incoming students? Do they have a grace period for enrollment? Our plan is to have them do it immediately upon receiving their accounts over the summer. We found that Duo enrollment is by far easiest and simplest when done at the beginning. Once people configure exchange profiles and such on various devices, it becomes exponentially harder. 8. Any other lessons learned you'd like to share? · You need a plan for when students inevitably lose / break their cell phones after hours. We were able to pretty easily develop a basic app through the Duo API which allows users to generate their own bypass codes (good for 3 uses for students) and we put that link on the single sign in page itself right next to the password reset link. · Be aware of which students are studying abroad and skip them until they are back on campus if possible. · Note that there are a lot of restrictions on Duo in China (notably, google play store is not available in China, Duo push won’t work in China, and phone callback may or may not work in China) See more at https://help.duo.com/s/article/2094?language=en_US so make sure that students who live in China or anyone who is travelling there is aware of what to do. ----- Chad Schonewill ‘03 Office of Information Technology (ITS) Assistant Director, Solutions Services (719) 389-6941 COLORADO COLLEGE From: The EDUCAUSE IT Communications Community Group Listserv <ITCOMM () LISTSERV EDUCAUSE EDU> On Behalf Of April Burke Sent: Monday, February 10, 2020 7:34 AM To: ITCOMM () LISTSERV EDUCAUSE EDU Subject: [ITCOMM] Student Duo Implementation This email originated outside Colorado College. Do not click links or attachments unless you know the content is safe. Good Morning Fellow Communicators, At Georgia Southern University, we're in the beginning stages of planning to roll out Duo for our entire student population. This group was such a tremendous help in rolling Duo out to our faculty and staff that I thought I would pick your brains once again. Below are a few questions our team has about implementing this service for students: 1. How far in advance did you begin communicating this coming change to students, and via which mediums (email, social, portal injection pages, etc.)? 2. Did you add all students at once, or did you use a staged approach (opt-in period, segmented populations, etc.)? 3. What MFA options do your students have (token, app/push notifications, others)? 4. Do your students retain their accounts after graduation, and if so, how do you handle this with regard to Duo? Do they remain enrolled? 5. Did you receive a large amount of pushback from students? What were your main complaints? 6. What LMS do you use, and how is Duo integrated with your LMS? 7. How do you handle Duo enrollment for new, incoming students? Do they have a grace period for enrollment? 8. Any other lessons learned you'd like to share? If you're willing to answer any or all of the questions above, your feedback is incredibly appreciated. Hope you all have a great Monday. Thanks, April <https://d36urhup7zbd7q.cloudfront.net/dff2249b-40aa-4b2a-9e79-b6f305bed7e3/ITScompleteRGB.format_png.resize_200x.png#logo> April Burke Executive Communications Manager 912-478-8748<tel:912-478-8748> GeorgiaSouthern.edu/ITS<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgeorgiasouthern.edu%2FITS&data=02%7C01%7Ccschonewill%40COLORADOCOLLEGE.EDU%7Cf829088686be41923f7608d7ae365b00%7Ccfc7b13c12964387b3085de08fd13c99%7C1%7C0%7C637169420798025999&sdata=bYUbwv8ajLJnlJqrEaC57%2F1fEP5%2FTZEAXvxewCaV5%2Fc%3D&reserved=0> PO Box 8122 Statesboro GA 30460 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccschonewill%40COLORADOCOLLEGE.EDU%7Cf829088686be41923f7608d7ae365b00%7Ccfc7b13c12964387b3085de08fd13c99%7C1%7C0%7C637169420798025999&sdata=i0WN4hxuaSbTA10lr%2F37ZbnGvz1tLWEoerBctLwDhyY%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
--- End Message ---
Current thread:
- Duo enforcement for students Kristen Dietiker (Oct 09)
- Re: Duo enforcement for students Telfer, Will (Oct 09)
- Re: Duo enforcement for students randy (Oct 09)
- Re: Duo enforcement for students Chester, Heather (Oct 12)
- Re: Duo enforcement for students Kristen Dietiker (Oct 12)
- Re: Duo enforcement for students Chester, Heather (Oct 12)
- Re: Duo enforcement for students Kristen Dietiker (Oct 12)
- Re: Duo enforcement for students Chester, Heather (Oct 12)