Educause Security Discussion mailing list archives
Re: Two-Factor Authentication
From: Peter Setlak <psetlak () COLGATE EDU>
Date: Thu, 5 Sep 2013 13:53:32 -0400
David, Good point! Thank you. To clarify what we are looking to implement, this would not tie-in with CAS as we do not require our users to log in to our portal in order to log in to Gmail. The 2-factor would SMS or call the user's phone directly, without using the Google Authenticator app. In other words, even though my network account and my gmail account sync to the same password, only when/if I log in to gmail will I be presented with the 2fa (except if I've set up application specific passwords for my mail clients). I am curious, though, what else may be out there in use... Thank you, Peter On Thu, Sep 5, 2013 at 12:54 PM, Harry Hoffman <hhoffman () ip-solutions net>wrote:
Hi David, I don't know if this will work in your environment but we have something similar to CAS called Weblogin. When a user is enrolled in 2fa and haven't authenticated to a web app then they are redirected to weblogin (same as with CAS) to provide their initial set of authentication credentials (userid + password). Weblogin checks to see if they are enrolled in 2fa and if so presents them with a page to enter their code. Once this is successful redirection happens as normal (i.e. w/o 2fa). CAS (at least some versions) are capable of doing multiple authentication methods so I believe that this is feasible to implement. If you want more information let me know and I can get you in contact with some of the folks here who run our 2fa and weblogin environments. Cheers, Harry On 09/05/2013 12:30 PM, David Curry wrote:We have two-factor authentication enabled for our domain - in the sense that we allow individual users to turn it on, not that we require themto.Unfortunately, it doesn't work if you're using single sign-on, such as a CAS server, as we are. It's documented not to work, so it's not a bug,butit's unfortunate. So you (as a user) can set up the Google Authenticator for your GAE account, but if your domain is using single sign-on, you'll never actually be prompted to use the Authenticator to sign in. :-( -- *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011 +1 212 229-5300 x4728 • david.curry () newschool edu On Thu, Sep 5, 2013 at 12:26 PM, Dennis Bolton <bolton () oakland edu>wrote:We too are seeing an increase in compromised Gmail accounts. With the compromise limited to the Gmail side (e.g. we have the credentialstryingto be used against other services). We also have not yet turned on two-factor authentication for our Google Apps domain and would behearingfeedback. Dennis Bolton Network Security Analyst Oakland University 248-370-4803 bolton () oakland edu On Thu, Sep 5, 2013 at 12:15 PM, Peter Setlak <psetlak () colgate edu>wrote:All, We are being hit with a number of compromised student Gmail accounts.Wehave not yet turned on two-factor authentication for our Google Apps domain. Has anyone here enabled this feature? Did users take to it?Was itmandatory or optional? How extensive was your campaign andcommunicationsto end-users? Were there major caveats, issues, etc? Has anyoneimplementedother solutions to combat this (or similar) issues? -- Thank you, Peter J. Setlak Managing Director, Networks, Systems & Operations Network Security Analyst, GSEC, GLEG Colgate University --- psetlak () colgate edu (315) 228-7151 Case-Geyer 180H (NSO Suite) skype: petersetlak Think *Green!* Please consider the environment before printing this email. *Engage with Colgate University: * News blog <http://blogs.colgate.edu/>, Twitter<https://twitter.com/#%21/colgateuniv>, Facebook <https://www.facebook.com/colgateuniversity>, Google+<https://plus.google.com/u/0/b/113333907606560373469/>, Delicious <http://www.delicious.com/colgatenewsmakers>, YouTube<http://www.youtube.com/cuatchannel13>, Flickr <http://www.flickr.com/photos/colgateuniversity/>, Pinterest<http://pinterest.com/colgateuniv/>, LinkedIn <http://www.linkedin.com/company/colgate-university/>-- Dennis Bolton Network Security Analyst Oakland University 2200 N Squirrel Road Rochester MI 48309 248-370-4803
-- Thank you, Peter J. Setlak Managing Director, Networks, Systems & Operations Network Security Analyst, GSEC, GLEG Colgate University --- psetlak () colgate edu (315) 228-7151 Case-Geyer 180H (NSO Suite) skype: petersetlak Think *Green!* Please consider the environment before printing this email. *Engage with Colgate University: * News blog <http://blogs.colgate.edu/>, Twitter<https://twitter.com/#%21/colgateuniv> , Facebook <https://www.facebook.com/colgateuniversity>, Google+<https://plus.google.com/u/0/b/113333907606560373469/> , Delicious <http://www.delicious.com/colgatenewsmakers>, YouTube<http://www.youtube.com/cuatchannel13> , Flickr <http://www.flickr.com/photos/colgateuniversity/>, Pinterest<http://pinterest.com/colgateuniv/> , LinkedIn <http://www.linkedin.com/company/colgate-university/>
Current thread:
- Two-Factor Authentication Peter Setlak (Sep 05)
- Re: Two-Factor Authentication Dennis Bolton (Sep 05)
- Re: Two-Factor Authentication David Curry (Sep 05)
- Re: Two-Factor Authentication Harry Hoffman (Sep 05)
- Re: Two-Factor Authentication Peter Setlak (Sep 05)
- Re: Two-Factor Authentication William G. Thompson, Jr. (Sep 09)
- Re: Two-Factor Authentication David Curry (Sep 05)
- Re: Two-Factor Authentication Dennis Bolton (Sep 05)
- Re: Two-Factor Authentication David Escalante (Sep 05)