Re: MFA - Telephony Credit Usage/Reduction

["Bandy, John" <jbandy () SAMFORD EDU>]

We had the advantage of a new DUO implementation within the last 2 years but we only allowed the DUO Mobile App or the 
DUO Hard token as authentication options.  We had heard of the concern of the cost of credits getting out of control.  
Also, we implemented DUO at the VPN (via RADIUS) and our SSO portal (which addresses all of our AD authenticated and 
our SAML/ADFS authenticated applications both on prem and SaaS).  Is it possible architect your implementation in a 
similar manner so the credentials are authenticated once and an active session cookie is passed to the applications?

We initially required the users to buy the tokens (if they didn't want to or couldn't use the mobile app) but quickly 
changed our minds and now the departments are allowed to use their budgets to buy the tokens.  We have over 90 hard 
tokens in a user base of about 2,300 (faculty and staff).   We are rolling it out to 8,000+ students in the spring of 
2020 but will be following the same model we have used for faculty and staff except if the students want to use the 
token they will be required to purchase it.

I hope this helps.  So far (and I realize we are much smaller) we have been very successful while able to keep our cost 
to a predictable amount (just the cost of the DUO licenses, no credits needed).

Feel free to contact me off list if you want any additional details.


John Bandy
Chief Information Security Officer
Technology Services

205-726-2692<tel:+1205-726-2692> | office
205-726-2692 | fax
JBandy () Samford Edu<mailto:JBandy () Samford Edu>
Twitter<http://twitter.com/SamfordInfoSec>
800 Lakeshore Drive
Birmingham, AL 35229<https://maps.google.com/maps?q=800+Lakeshore+Drive,+Birmingham,+AL+35229,+US>

[mford Samford University Logo]



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Telfer, Will
Sent: Thursday, November 21, 2019 1:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [EXTERNAL][SECURITY] MFA - Telephony Credit Usage/Reduction

Greetings,

At Baylor we are utilizing Duo for MFA & encouraging users to download & enroll with the free Duo Mobile app. I think 
we have decent adoption of the app, as we are consistently seeing  above 70% usage of Duo push as the MFA method each 
month. Duo charges telephony credits for phone call & SMS passcode authentication (the amount of credits varies 
depending  on whether it is a domestic phone number or an international number - if the cost is above 20 credits, that 
method of authentication is not available to users as this is the default setting). Between phone call & SMS passcode 
authentication we have seen our telephony credit usage rise from 6-7k credits used per day when we first implemented 
Duo a couple of years ago to just over 9k per day this month. I know some of this is due to the 60+ services that are 
now protected by Duo (we started with one service & have since increased that total), but does anyone out there have a 
better strategy for trying to lower the telephony credit usage other than emailing users that are not using the Duo 
Mobile app consistently?

We suspect at least some of these users have gotten a new device & just haven't re-connected the Duo Mobile app so they 
are limited to phone or SMS passcode authentication. Usually after I send out a batch of emails there is a temporary 
dip in telephony credit usage as some re-connect the app using the attached instructions to the email. We have a video 
tutorial & the same instructions on our campus Duo website & plan to advertise this when the spring semester starts on 
the basis that new devices may be a popular gift over the semester break.

Thank You,
Will Telfer, M.S.
Information Security Analyst
Information Technology Services

Follow BaylorITS & look for the #BearAware:
Twitter: @BaylorITS
Facebook: facebook.com/BaylorITS
Website: baylor.edu/BearAware

[BU_e-signature]


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://secure-web.cisco.com/1DFHIOx98iKHFvLbyD4qT38_eK-3htdx4EtE3iAYkeBnfX5W7vEGa4VDEcwXc5P_N9eYcjuoTCuGthTEdFIvC1oAl391LVFOCaTjdNWYOG1Gw3DpQiFCkpLsOSoYVYe4aayC7knPyXKZIiHgMUpCL4gfgcbt2FEHq2qTioSj0n_WugG7tu8mWPEfy8dtW-kSMYp0SSB1fQ63DbHjSSlfPxOLAkbxWewF021jMzzRCKBGClZaW15v4UDswlB-PoSdixwBIg4XRs_tBdPrGiwwMhgvKhuPaMYrKxYgUOZq782ZdeS41SW0xvYwj9qBXrep-HDe8v0vugJBDvdWwWFZVeA/https%3A%2F%2Fwww.educause.edu%2Fcommunity>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community