Re: MFA - Telephony Credit Usage/Reduction

["Telfer, Will" <Will_Telfer () BAYLOR EDU>]

We do not distinguish between personal or university owned devices in any way.

Our campus bookstore sells the Duo Hardware Tokens for $30 because it quickly became cost ineffective for us to provide 
them to users (initially we loaned them out to users in need & the handful of faculty/staff that did not have a mobile 
device of any kind). We also offer the U2F authentication functionality & those devices can be purchased for $10 & up 
on various sites.

We have it implemented via Shibboleth & on our VPN portal & we allow the ‘Remember me’ feature for 7 days, but even 
with all of that we are still seeing our telephony credit usage increase. At this point disabling phone call & SMS 
passcode authentication seems like a non-starter due to the push back we have gotten from faculty & staff that do not 
want “anything” work related on their personal devices, nor are they willing to incur any additional cost by purchasing 
another device (token or U2F). We initially had all the authentication options enabled because we needed users to adopt 
Duo due to the rollout to our student/employee information system. The environment has obviously changed since the 
initial rollout with much more being protected behind Duo (including our email). I have been tasked with analyzing some 
data from this semester to see if the increase occurred about the time the new iPhone was released as our Help Desk 
reported an increase of call volume when Duo experienced technical difficulties with the phone call authentication 
method & during those calls it was discovered that the phone model listed in Duo was not the model the student was 
currently using.

Thank You,
Will Telfer, M.S.
Information Security Analyst
Information Technology Services

Follow BaylorITS & look for the #BearAware:
Twitter: @BaylorITS
Facebook: facebook.com/BaylorITS
Website: baylor.edu/BearAware

[BU_e-signature]

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ed Jalinske
Sent: Friday, November 22, 2019 4:32 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] MFA - Telephony Credit Usage/Reduction

Will, Chad, Jerry –

Do you have separate policies for University owned devices versus personal devices when disallowing SMS? If so, what 
are they and what is the basic reasoning for each? How have your campus communities responded?

Thanks,

Ed Jalinske, J.D.
University of Wisconsin-Madison
Office of Cybersecurity
Program Director, Cybersecurity Policy and Education
UW-Madison School of Business
Adjunct Professor, Information Privacy and Security
608.262.3837 (Office)
917.945.0748 (Cell)
ed.jalinske () wisc edu<mailto:ed.jalinske () wisc edu>
[Cybersecurity Logo1]


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Jerry Tylutki
Sent: Friday, November 22, 2019 8:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] MFA - Telephony Credit Usage/Reduction

We have disallowed SMS as well.

To date we have around 84% push authentication, 7.5% with passcode, and 5.5% that use phone. To date the telephony 
credits haven't become an issue with our implementation. It will be interesting if the percentage changes once in 12-18 
months once users starts to purchase new phones.

-------
Jerry Tylutki
Information Security Officer
Hamilton College
(315) 859-4289 -- office

*****The contents of this email are CONFIDENTIAL. If you have received this email by mistake, please notify the sender 
and delete the email and its contents.*****


On Fri, Nov 22, 2019 at 7:23 AM Chad Tracy <ctracy () bates edu<mailto:ctracy () bates edu>> wrote:
Will,

I am not sure of the breakdown between the telephone and sms authentication, but we ended up not allowing SMS. I am not 
sure if that is possible for you all.... in the end, folks will take the easiest path they think is available. To that 
end, it is sometimes up to us to give them just one path.

Chad

On Thu, Nov 21, 2019 at 2:49 PM Telfer, Will <Will_Telfer () baylor edu<mailto:Will_Telfer () baylor edu>> wrote:
Greetings,

At Baylor we are utilizing Duo for MFA & encouraging users to download & enroll with the free Duo Mobile app. I think 
we have decent adoption of the app, as we are consistently seeing  above 70% usage of Duo push as the MFA method each 
month. Duo charges telephony credits for phone call & SMS passcode authentication (the amount of credits varies 
depending  on whether it is a domestic phone number or an international number – if the cost is above 20 credits, that 
method of authentication is not available to users as this is the default setting). Between phone call & SMS passcode 
authentication we have seen our telephony credit usage rise from 6-7k credits used per day when we first implemented 
Duo a couple of years ago to just over 9k per day this month. I know some of this is due to the 60+ services that are 
now protected by Duo (we started with one service & have since increased that total), but does anyone out there have a 
better strategy for trying to lower the telephony credit usage other than emailing users that are not using the Duo 
Mobile app consistently?

We suspect at least some of these users have gotten a new device & just haven’t re-connected the Duo Mobile app so they 
are limited to phone or SMS passcode authentication. Usually after I send out a batch of emails there is a temporary 
dip in telephony credit usage as some re-connect the app using the attached instructions to the email. We have a video 
tutorial & the same instructions on our campus Duo website & plan to advertise this when the spring semester starts on 
the basis that new devices may be a popular gift over the semester break.

Thank You,
Will Telfer, M.S.
Information Security Analyst
Information Technology Services

Follow BaylorITS & look for the #BearAware:
Twitter: @BaylorITS
Facebook: facebook.com/BaylorITS<http://facebook.com/BaylorITS>
Website: baylor.edu/BearAware<http://baylor.edu/BearAware>

[BU_e-signature]


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


--
Chad Tracy
Director of Information Security, Policy and Compliance
Bates College
207 786-6491

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community