Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA

[Garrett McManaway <garrett.mcmanaway () WAYNE EDU>]

We have used Duo for a while now for employees and are in the process of adding students to Duo for fall semester. We 
have purchased these https://shop.ftsafe.us/products/otp-c100-h41 for about 9 bucks each in bulk to give out to people 
who complain enough about using their phone (we do not issue phones to anyone so all personal devices) or does not have 
a smart phone. We also lend them out to people who are traveling overseas. We do also sell Yubikeys on campus but 
people rarely buy them.

I normally give these through our help desk that has a customer service area in our Student Center. That is of course 
closed right now like the rest of campus, we have distributed other equipment like chromebooks and hotspots to faculty 
and staff in need through our student food back that has remained open during shutdown. That is not ideal but will be 
my backup plan if we are not open by fall.

Garrett McManaway
CISO & Sr. Director
C&IT - Information Security and Compliance
Wayne State University
Phone: 313-577-3454

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ravi Kotecha
Sent: Tuesday, May 12, 2020 10:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [EXTERNAL] [SECURITY] FIDO2 keys and MFA



This is an external email.
Be cautious of links and attachments.

Hi Beth,

At Brandeis, we are using DUO and chose to offer hardware tokens that generate a one-time passcode instead of the 
YubiKey option. The hardware tokens cost about $20 each and we have decided it's a cost of doing business and any 
faculty, staff, or student can request one, at no cost to them. It is not widely advertised, but offered if someone 
expresses concern over the other 2fa options.

The YubiKeys are great for USB capable devices, but since many users use mobile devices, the tokens were a better 
option for us. One reason we made the tokens available to anyone who asked was so that it was not a symbol of being low 
income. It also takes care of study abroad situations, and we did mail out tokens in those cases but since students 
were on campus when we enabled 2fa, the mailing situations were few and far between.

Best,
Ravi
--
Ravi Kotecha '10, M.S. '14, M.S. '20
Privacy & Information Security Analyst
Information Technology Services
x67284 | security () brandeis edu<mailto:security () brandeis edu>
[A button with "Hear my name" text for name playback in email signature]<https://www.name-coach.com/ravi-kotecha>


On Mon, May 11, 2020 at 9:02 PM Beth Albertson <albertb3 () wwu edu<mailto:albertb3 () wwu edu>> wrote:
We are in the process of implementing Azure MFA for our staff and students.  We have a small percentage of students 
without smart phones, and would like to offer them the option of using a FIDO2 key.  I was wondering if other 
Universities are using FIDO2 keys, and if so, who is picking up the cost?  Are students expected to buy their own 
device?  Also, we, like most Universities are all online during the Covid crisis, so it seems we would have to mail the 
FIDO2 keys to users if we pick up the cost.  Thank you in advance for any information you can provide.

Sincerely,

Beth Albertson, CISSP®, PMP®
Director of Information Security
Western Washington University
beth.albertson () wwu edu<mailto:beth.albertson () wwu edu>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.com/v3/__https:/www.educause.edu/community__;!!DaRZpAeNFA!M4vdDdcgk_1fNNyZV2ZCY-mUPsv4g0OidyLbira4z8z7UaPkO55iBpjfCs8NeaOfBnk$>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community