CSG Spring 2015 – Security 3.0: Multifactor authentication

Passwords are dead: Richard Biever, Duke

What got us here?: Breaches, breaches, breaches; account & password sharing; tension between strong password policies and user acceptance; time it takes to crack a password.

How did we start?: Pre-2011 faculty concern about access to benefit information; 2010-2011 evaluation of existing technologies; 2011-12 evaluation of integration with Shib; 2013 pilot with Duo (600 IT people); 2013 IT rollout; 2014 Direct deposit phishing incident – individuals lost pay due to falling for scheme on bank routing; 2014-15 voluntary adoption, currently about 14k accounts across campus.

Approach: Focus on shib sites but don’t forget other technologies (SSH, RDP, VPN); allow strength checking for multiple factors in shib; build our own self-service interface to mimic what users were used to; make it easy to recover with temporary passcodes.

Four-pronged rollout: evangelaize across campus for voluntary enrollment; make mandatory for specific services (e.g. protected network); Make mandatory for certain groups (e.g. Finance, IT, School of Nursing); Duke Medicine implementing mandatory for remote access Aug 1.

Tone from top is important – memo from EVP to campus, memo from Medicine leadership.

At about 1/3 participation now.

What’s next: mandatory for Duke Medicine remote access; mandatory for HR system; solve the “thick client” problem for SAP and Peoplesoft; Test how to accept “MFA” attribute from federation partners for shib logins.

InCommon is working on creating a MFA working group.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: