Passwords are dead: Richard Biever, Duke
What got us here?: Breaches, breaches, breaches; account & password sharing; tension between strong password policies and user acceptance; time it takes to crack a password.
How did we start?: Pre-2011 faculty concern about access to benefit information; 2010-2011 evaluation of existing technologies; 2011-12 evaluation of integration with Shib; 2013 pilot with Duo (600 IT people); 2013 IT rollout; 2014 Direct deposit phishing incident – individuals lost pay due to falling for scheme on bank routing; 2014-15 voluntary adoption, currently about 14k accounts across campus.
Approach: Focus on shib sites but don’t forget other technologies (SSH, RDP, VPN); allow strength checking for multiple factors in shib; build our own self-service interface to mimic what users were used to; make it easy to recover with temporary passcodes.
Four-pronged rollout: evangelaize across campus for voluntary enrollment; make mandatory for specific services (e.g. protected network); Make mandatory for certain groups (e.g. Finance, IT, School of Nursing); Duke Medicine implementing mandatory for remote access Aug 1.
Tone from top is important – memo from EVP to campus, memo from Medicine leadership.
At about 1/3 participation now.
What’s next: mandatory for Duke Medicine remote access; mandatory for HR system; solve the “thick client” problem for SAP and Peoplesoft; Test how to accept “MFA” attribute from federation partners for shib logins.
InCommon is working on creating a MFA working group.