Educause Security Discussion mailing list archives
Re: Protecting workstations with Duo
From: Emily Harris <emharris () VASSAR EDU>
Date: Wed, 7 Jun 2017 16:17:08 -0400
Good conversation - thanks for the feedback. Since I wrote the note we went ahead and added the application and are testing. The tip on laptops makes sense. Our current goal is only to protect admin accounts. I noticed Duo has a beta MacOS application and we just asked for access. Does anyone here use that yet? ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Wed, Jun 7, 2017 at 2:48 PM, Scantlin, Aaron J. <ScantlinA () missouri edu> wrote:
I disagree; I am much more apt to leaving my phone somewhere than I am my keys (where my YubiKey lives). That said, I imagine there are plenty of people where the opposite is true, so as Rich said, choose a solution that provides an acceptable balance of security and usability WRT your organization’s workflow. FWIW, I really like using the YubiKey as a second factor for Windows login… if the key is not inserted, the user attempting to login will get an authentication error, but it doesn’t tell you that it’s because you’re missing the YubiKey. Another handy trick a fellow MU employee shared with me is creating a “password prefix” that only you know and configuring the second mode (3 second press) on the YubiKey to be a long, random string; you can then set your password as the concatenation of your password prefix and YubiKey mode two output… I refer to it as 1.5 FA. ;) *Aaron J. Scantlin* *Security Analyst, Division of IT* GSEC, GCFA University of Missouri, Columbia (W) +1-573-884-7555 (C) +1-573-424-0539 scantlina () missouri edu *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Rich Graves *Sent:* Wednesday, June 7, 2017 1:31 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Protecting workstations with Duo The nice thing about many of the typical Duo factors is that they are slightly less likely to be stolen or left unattended than a Yubikey or smartcard. Of course, if you allow voice call to your desktop phone as a backup factor, which is something that we actually recommend to most people for pretty good reasons, that's not going to protect your desktop computer. Regardless, make sure the security/usability ratio is meaningfully positive. On Wed, Jun 7, 2017 at 1:24 PM, randy <marchany () vt edu> wrote: I use Yubikey as my standalone 2nd factor (no duo). I have it tied to my local accounts on my laptops (standalone). THe yubico setup is pretty straightforward to set up. -r. On Wed, Jun 7, 2017 at 1:23 PM, Emily Harris <emharris () vassar edu> wrote: I'm curious if anyone has deployed (or is thinking of deploying) MFA on their workstation logins via Duo. It looks like it can be done, but it isn't very straight-forward. It requires a local workstation client, and to manage the users via Group policy. Our goal is to require MFA for admin accounts only (for now). I'm wondering if anyone has already deployed this. Thanks! ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 <(845)%20437-7221>
Current thread:
- Protecting workstations with Duo Emily Harris (Jun 07)
- Re: Protecting workstations with Duo Frank Barton (Jun 07)
- Re: Protecting workstations with Duo Greg Williams (Jun 07)
- Re: Protecting workstations with Duo randy (Jun 07)
- Re: Protecting workstations with Duo Rich Graves (Jun 07)
- Re: Protecting workstations with Duo Scantlin, Aaron J. (Jun 07)
- Re: Protecting workstations with Duo Emily Harris (Jun 07)
- Re: Protecting workstations with Duo Rich Graves (Jun 07)
- Re: Protecting workstations with Duo Rich Graves (Jun 09)