Evolving Strong Authentication at The University of Arizona

Transcription

1 Evolving Strong Authentication at The University of Arizona Gary Windham Senior Enterprise Systems Architect The University of Arizona, UITS

2 Where are we today? credential strength has been a key concern for many years now: o UA requires NetID passwords to be changed at least every 360 days o password lockout measures predicated on protecting against brute-force online attack o does nothing to protect against interception of credentials

3 Accep0ng the bi5er truth growing realization on campus that password-only authentication is rapidly approaching non-viability despite (rather unpopular) password strength policies, passwords continue to be compromised o keyloggers o hashed passwords stolen in breaches of popular sites o shoulder surfing o sharing passwords

4 Accep0ng the bi5er truth (cont.) the perfect storm: o sophistication of password cracking methodologies and tool sets have increased dramatically over the last several years o the price/performance ratio of commodity dedicated computational hardware (GPUs) has dropped considerably over that time as well o the number of social/saas sites the majority of which maintain their own account registries has exploded

5 The end game... Now, if we consider that sensitive data (i.e., information that falls under the purview of FERPA, HIPAA, PCI, not to mention research data) and administrative functions in key enterprise systems are:... frequently secured via a single-factor, passwordbased authentication mechanism... and your users, like most of us, use a variety of social networking, shopping, and other online services and that the average web user maintains 25 accounts, but uses only 6.5 passwords across them... well, you can connect the dots :)

6 UA's experience with 2FA UA has used two-factor authentication for several years, in very limited, specific scenarios o RSA SecurID o OTP schemes (OPIE, etc) every few years, we would take another look at doing 2FA on a broad scale, using various technologies (smart cards, USB tokens, etc) o not cost-effective on a large scale o substantial operational/administrative overhead o not palatable to a non-technical audience

7 Why Duo, why now? UA has had some serious breaches due to compromised passwords over the past few years Duo Security, through their partnership with Internet2/ InCommon, dramatically lowered the barrier of entry for campus-wide 2FA o leverage the near-ubiquity of smart phones and mobile devices on campus o cost-effective on small or large scale o significant degree of affinity with OSS

8 Making the case general approach has been for UITS to lay the groundwork via the following steps: o prototyping/proof-of-concept o investing in the technology o adopting it internally for some centrally-managed services/enterprise systems o making it easy for campus IT staff to utilize o making a compelling case for adoption

9 Rolling- out 2FA w/ Duo initially deployed to groups within University Information Technology Services for testing our Systems Administration group secured access to their bastion hosts and Windows Domain Controllers with Duo our Network operations team used Duo's Cisco ASA VPN integration to add 2FA to several VPN profiles

10 Rolling- out 2FA w/ Duo (cont.) Integrated Duo with our campus web SSO environment o UA uses both JA-SIG CAS and Internet2 s Shibboleth o needed to integrate Duo with both CAS and Shibboleth, allowing Duo to be used across both o developed solution based on Unicon s cas-mfa CAS server overlay, combined with Jim Fox s (University of Washington) Shibboleth Remote Login Handler extension for 2FA added per-user and per-service mfarequired attribute allow services to require 2FA for only specific LDAP groups (managed via Grouper)

11 Rolling- out 2FA w/ Duo (cont.) Deploying to community at-large o branded NetID+ o outreach: o o o o articles in employee newsletter and Daily Wildcat communications to various campus listservs endorsement from ISO presentation to various campus groups (NetManagers, UA Web Developers, etc) o developed self-service portal for enrollment, device management, fallback mechanisms ( lifelines, bypass codes ), etc. o provided end-users the ability to require Duo authentication when signing in to any services using campus SSO, even if service provider doesn t require MFA ( Global NetID+ )

12 Support & Logis0cs self-service portal intended to be primary vector for support Provided support tools to our help desk staff: o can see if user has enrolled one or more devices in NetID+, and if opted-in to Global NetID+ o opt-out user from Global NetID+ o generate bypass codes for user FAQs & tutorial videos for end users and service providers

13 Adop0on As of :48 MST: o 1592 distinct users have logged-in to self-service portal o 444 users have registered at least 1 device o 571 devices registered o 107 users have enabled Global NetID+ o Duo Push (via the Duo Mobile app) is by far the most popular mechanism 2:1 over all other methods combined FAQs & tutorial videos for end users and service providers

14 Thank You! Q & A?