Educause Security Discussion mailing list archives
Re: MFA - Telephony Credit Usage/Reduction
From: "Bandy, John" <jbandy () SAMFORD EDU>
Date: Thu, 21 Nov 2019 20:09:55 +0000
We had the advantage of a new DUO implementation within the last 2 years but we only allowed the DUO Mobile App or the DUO Hard token as authentication options. We had heard of the concern of the cost of credits getting out of control. Also, we implemented DUO at the VPN (via RADIUS) and our SSO portal (which addresses all of our AD authenticated and our SAML/ADFS authenticated applications both on prem and SaaS). Is it possible architect your implementation in a similar manner so the credentials are authenticated once and an active session cookie is passed to the applications? We initially required the users to buy the tokens (if they didn't want to or couldn't use the mobile app) but quickly changed our minds and now the departments are allowed to use their budgets to buy the tokens. We have over 90 hard tokens in a user base of about 2,300 (faculty and staff). We are rolling it out to 8,000+ students in the spring of 2020 but will be following the same model we have used for faculty and staff except if the students want to use the token they will be required to purchase it. I hope this helps. So far (and I realize we are much smaller) we have been very successful while able to keep our cost to a predictable amount (just the cost of the DUO licenses, no credits needed). Feel free to contact me off list if you want any additional details. John Bandy Chief Information Security Officer Technology Services 205-726-2692<tel:+1205-726-2692> | office 205-726-2692 | fax JBandy () Samford Edu<mailto:JBandy () Samford Edu> Twitter<http://twitter.com/SamfordInfoSec> 800 Lakeshore Drive Birmingham, AL 35229<https://maps.google.com/maps?q=800+Lakeshore+Drive,+Birmingham,+AL+35229,+US> [mford Samford University Logo] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Telfer, Will Sent: Thursday, November 21, 2019 1:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [EXTERNAL][SECURITY] MFA - Telephony Credit Usage/Reduction Greetings, At Baylor we are utilizing Duo for MFA & encouraging users to download & enroll with the free Duo Mobile app. I think we have decent adoption of the app, as we are consistently seeing above 70% usage of Duo push as the MFA method each month. Duo charges telephony credits for phone call & SMS passcode authentication (the amount of credits varies depending on whether it is a domestic phone number or an international number - if the cost is above 20 credits, that method of authentication is not available to users as this is the default setting). Between phone call & SMS passcode authentication we have seen our telephony credit usage rise from 6-7k credits used per day when we first implemented Duo a couple of years ago to just over 9k per day this month. I know some of this is due to the 60+ services that are now protected by Duo (we started with one service & have since increased that total), but does anyone out there have a better strategy for trying to lower the telephony credit usage other than emailing users that are not using the Duo Mobile app consistently? We suspect at least some of these users have gotten a new device & just haven't re-connected the Duo Mobile app so they are limited to phone or SMS passcode authentication. Usually after I send out a batch of emails there is a temporary dip in telephony credit usage as some re-connect the app using the attached instructions to the email. We have a video tutorial & the same instructions on our campus Duo website & plan to advertise this when the spring semester starts on the basis that new devices may be a popular gift over the semester break. Thank You, Will Telfer, M.S. Information Security Analyst Information Technology Services Follow BaylorITS & look for the #BearAware: Twitter: @BaylorITS Facebook: facebook.com/BaylorITS Website: baylor.edu/BearAware [BU_e-signature] ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://secure-web.cisco.com/1DFHIOx98iKHFvLbyD4qT38_eK-3htdx4EtE3iAYkeBnfX5W7vEGa4VDEcwXc5P_N9eYcjuoTCuGthTEdFIvC1oAl391LVFOCaTjdNWYOG1Gw3DpQiFCkpLsOSoYVYe4aayC7knPyXKZIiHgMUpCL4gfgcbt2FEHq2qTioSj0n_WugG7tu8mWPEfy8dtW-kSMYp0SSB1fQ63DbHjSSlfPxOLAkbxWewF021jMzzRCKBGClZaW15v4UDswlB-PoSdixwBIg4XRs_tBdPrGiwwMhgvKhuPaMYrKxYgUOZq782ZdeS41SW0xvYwj9qBXrep-HDe8v0vugJBDvdWwWFZVeA/https%3A%2F%2Fwww.educause.edu%2Fcommunity> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- MFA - Telephony Credit Usage/Reduction Telfer, Will (Nov 21)
- Re: MFA - Telephony Credit Usage/Reduction Bandy, John (Nov 21)
- Re: MFA - Telephony Credit Usage/Reduction Chad Tracy (Nov 22)
- Re: MFA - Telephony Credit Usage/Reduction Jerry Tylutki (Nov 22)
- Re: MFA - Telephony Credit Usage/Reduction Ed Jalinske (Nov 22)
- Re: MFA - Telephony Credit Usage/Reduction Jerry Tylutki (Nov 22)
- Re: MFA - Telephony Credit Usage/Reduction Chad Tracy (Nov 25)
- Re: MFA - Telephony Credit Usage/Reduction Telfer, Will (Nov 25)
- Re: MFA - Telephony Credit Usage/Reduction Jerry Tylutki (Nov 22)
- <Possible follow-ups>
- Re: MFA - Telephony Credit Usage/Reduction Nick Lewis (Nov 22)