Multi- factor Authentication Initiative



Similar documents
Multi-Factor Authentication FAQs

Campus. Impact. UC Riversidee Security Tools. Security Tools. of systems

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

STRONGER AUTHENTICATION for CA SiteMinder

Security Data Analytics Platform

Integrating Multi-Factor Authentication into Your Campus Identity Management System

ADDING STRONGER AUTHENTICATION for VPN Access Control

Multi-Factor Authentication Job Aide

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication

Initial DUO 2 Factor Setup, Install, Login and Verification

Two Factor Authentication (TFA; 2FA) is a security process in which two methods of authentication are used to verify who you are.

Multi-Factor Authentication for first time users

Two-Factor Authentication Evaluation Guide

Evolving Strong Authentication at The University of Arizona

Setting Up and Accessing VPN

Cisco AnyConnect VPN for: Windows 8

Using RD Gateway with Azure Multifactor Authentication

Entrust IdentityGuard Comprehensive

SECUREAUTH IDP AND OFFICE 365

The University of Texas Rio Grande Valley. Network Security. Create a Virtual Private. Network (VPN) Connection. Network Security How-to:

Modern two-factor authentication: Easy. Affordable. Secure.

The Authentication Revolution: Phones Become the Leading Multi-Factor Authentication Device

I m getting MFA, you re getting MFA, we re ALL getting MFA. Richard Biever (richard.biever@duke.edu) Chuck Kesler (chuck.kesler@duke.

Password Reset PRO Version 3 Operational Summary and Screenshots

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION

Facebook s Security Philosophy, and how Duo helps.

NetIQ Advanced Authentication Framework

Guide to Evaluating Multi-Factor Authentication Solutions

Swivel Multi-factor Authentication

Securing your Juniper SSL VPN with two-factor authentication.

DUO SECURITY CISCO VPN USER GUIDE 1/27/2016

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

Ensuring the security of your mobile business intelligence

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

Out-of-Band Multi-Factor Authentication Cloud Services Whitepaper

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

IT Information Packet

Moving Beyond User Names & Passwords

WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition

Getting Started with Clearlogin A Guide for Administrators V1.01

Moving Beyond User Names & Passwords Okta Inc. info@okta.com

AirWatch Solution Overview

Overview of Microsoft Enterprise Mobility Suite (EMS) Cloud University

300% increase 280 MILLION 65% re-use passwords $22 per helpdesk call Passwords can no longer protect you

Google Identity Services for work

Duo Two-Factor Authentication: Frequently Asked Questions

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

Business Banking Customer Login Experience for Enhanced Login Security

Deploying iphone and ipad Security Overview

Ensuring the security of your mobile business intelligence

Enterprise Portal Built by and for Higher Education

Why SMS for 2FA? MessageMedia Industry Intelligence

Mobile Device Management for CFAES

THE CANVAS LMS RECOMMENDATION

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Device-Centric Authentication and WebCrypto

Defender Token Deployment System Quick Start Guide

An Overview of Samsung KNOX Active Directory and Group Policy Features

Teleworking Technology Guide and Checklist. UW Information Technology. November 2012

ipad in Business Security

Rich Communication Suite Enabler. plus integration with your existing VoIP services

How to reduce the cost and complexity of two factor authentication

Copyright 2013, 3CX Ltd.

Remote Authentication and Single Sign-on Support in Tk20

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

2-FACTOR AUTHENTICATION WITH

Introduction to Google Apps for Business Integration

Cisco Mobile Collaboration Management Service

Picasso Recommendation

ANALYTICS WHITE PAPER. MicroStrategy Analytics: Delivering Secure Enterprise Analytics

BlackShield ID Best Practice

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION

Getting Started With Halo for Windows

Mobile Device Management Version 8. Last updated:

How To Protect Your Mobile Devices From Security Threats

Information Security It s Everyone s Responsibility

Mobile Device Security Is there an app for that?

Cisco ASA Authentication QUICKStart Guide

CAMPUS EXPERIENCES USING NET+ TRUST, IDENTITY, AND SECURITY SERVICES

End User Devices Security Guidance: Apple ios 8

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.

Security in an Increasingly Threatened World. SMS: A better way of doing Two Factor Authentication (2FA)

ADAPTIVE USER AUTHENTICATION

iphone in Business Security Overview

Using GhostPorts Multi-Factor Authentication

Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant

YubiRADIUS Deployment Guide for corporate remote access. How to Guide

Sophos Mobile Control Startup guide. Product version: 3

WHITEPAPER. 13 Questions You Must Ask When Integrating Office 365 With Active Directory

Transcription:

Multi- factor Authentication Initiative "UCR s Multi- factor Authentication Initiative is an easy- to- use solution to our need to secure our campus community s credentials. The Duo Security system that we integrated with our campus single sign- on infrastructure is more flexible and easier to use than technologies we previously tested. Duo s broad range of options for entering an additional authentication factor ensure that the full spectrum of our user base will be able to take advantage of this enhanced security. I believe this is a best- in- breed implementation of multi- factor authentication. Campus Impact - - - Bob Grant, Executive Director and CTO, UCR Computing and Communications UC Riverside s implementation of a multi- factor authentication (MFA) initiative has provided the campus with a huge leap forward in network security that is easy to adopt by members of the campus community, since it relies on devices (e.g. smartphones) they are already familiar with. Since it is integrated with the campus single- sign- on infrastructure (CAS), it is a smooth extension to the authentication processes they already use. Business Need UCR has made a strategic investment during the past decade in identity management and a single sign- on infrastructure that leverages Jasig s Central Authentication Services (CAS). All members of our campus community use their credentials (a UCR NetID and password) through CAS to access 1

web applications and databases. Many of these have increased security requirements because they incur financial obligations and access personally identifiable information (PII) in human resource or student records. This highly integrated authentication and authorization infrastructure is placed in the context of an almost daily onslaught of phishing messages, viruses and network probes that seek to steal the credentials of staff, faculty and students. Consequently there is a clear business need to mitigate the risk of a breach associated with the accidental or purposeful divulging of credentials in a manner that easily integrates into the well- established authentication and authorization channels currently being used by campus (CAS). UCR s implementation of a multi- factor authentication (MFA) initiative based on the Duo Security system and customized to integrate with CAS meets this need since it requires two authentication factors, a password followed by the use of a smartphone or token that can t be divulged in a phishing attack or via other means. Highlights Evaluation of Duo Security vs. in- house developed TOTP MFA solution. Development of reusable modules for integrating Duo Security based multi- factor authentication with a Central Authentication Services (CAS) single sign on system. Development of a user portal for self- management of devices used for authentication (e.g. phones. hardware tokens, and cell and land- line phone numbers). The Process: Technology and Implementation Evaluation The initial evaluation phase began with a process that involved identifying factors to rate potential multi- factor implementations. Ten different factors were identified: Evaluation Factor Integration with CAS Integration with Windows/AD Application specific passwords Highly available Monitorable Multi- channel capable Multiple classes of users Ability to opt- in/opt- out Campus VPN integration Integration with SSH Description Can the product integrate with the campus CAS implementation? Can the product integrate with Active Directory (Windows) based authentication? Can users set passwords for applications that cannot easily be made to use multi- factor authentication such as email. Is the product highly available and redundant? Can the product be easily monitored for outages? Do users have the option to use several different types of devices for authentication? (smartphones, tokens, SMS) Can users be classified into groups such as administrators, financial system transactors, etc.? Is it possible to opt- in a subset of users to begin a pilot? Can the product integrate with the campus Cisco VPN? Can the product be used to require multi- factor when authenticating over SSH? 2

After some initial research five products were identified for initial evaluation using the evaluation factors: Duo Security, PhoneFactor, Toopher, Authy, and SecureAuth. Additionally an in- house developed solution based on time- based one- time passwords (TOTP) was added to the list. Evaluation Factor Duo PhoneFactor Toopher Authy SecureAuth TOTP Integration with CAS Integration with Windows/AD Application specific passwords Highly available Monitorable Multi- channel capable Multiple classes of users Ability to opt- in/opt- out Campus VPN integration Integration with SSH Based on the initial evaluation, two solutions, Duo Security and the TOTP solution were chosen for further evaluation. Selection Ultimately, the selection of Duo Security over the in- house developed TOTP solution hinged on the number of authentication channels available out of the box. While the TOTP solution could rely on a smartphone product like Google authenticator, or a token, Duo offered a rich set of smartphone applications that performed push authentication requests that made it easier to use. Implementation The implementation thus far of multi- factor authentication consisted of two parts, first writing the code to integrate Duo Security with CAS and second developing a portal utilizing Duo Security APIs for the users of MFA to enroll and manage smartphones and tokens. CAS Integration The Duo Security product comes with a number of integrations, but CAS is not one of them. Fortunately the CAS architecture allows extensions to add new authentication types. At a high level several things needed to be added or changed in CAS: The Spring web flow was altered to show a second authentication screen for Duo if the user was opted into MFA and the application being accessed allowed or required MFA. 3

Spring web flow action beans were added to connect to the Duo Security web services and perform the second authentication for a user (send a push notification to Duo Mobile, verify a passcode generated by a token, etc). The CAS security context was extended for an authenticated user so CAS could keep track of whether a CAS ticket granting ticket was generated using only a username/password (one factor) or username/password plus a Duo Security authentication (two factors). Added code to query the attributes in the CAS services registry to determine if a particular application requires MFA or not. UCR has placed the code to integrate with CAS in an open- source repository and has already had inquiries from two other universities regarding our implementation. Multi- factor Authentication Enrollment Portal Duo Security does not offer a customizable branded enrollment portal for users but does offer a rich set up APIs for building such a solution. UCR opted to build a customized portal utilizing these APIs to facilitate enrollment and subsequent profile management. This application, written using the Grails framework has several features: A step- by- step wizard to walk a user through enrolling in MFA for the first time. Once enrolled, the ability to add/remove smartphones and tablets that are running the Duo Security mobile app. Once enrolled, the ability to add/remove hardware tokens such as a Yubico YubiKey. Ability to request several single use passcodes in the event the enrolled smartphone/token is unavailable. Implementation Flexibility UCR s implementation allows applications to flexibly configure their MFA requirement based on a number of attributes. The most secure level to be utilized once MFA is rolled out extensively on campus is to require MFA of every user of the application. This would require a user to be setup for MFA before using the application the first time. Current applications enabled for MFA only require it for users who have enrolled in MFA production pilot. Other applications may choose to not require MFA at all. Our campus portals and about 20 other applications currently utilize MFA for all enrolled users. Testimonials I ll admit, when it was proposed that I pilot the new multi- factor authentication tool, I was worried that it was going to take longer to access campus applications and because I am a non- techy, using MFA would not be easy. I was pleasantly surprised to find out my experience was the exact opposite. The Duo Security application was easy to install on my iphone and it is extremely user friendly. As soon as I try to log on to any campus application or the R Space portal, a push notification is sent to my iphone. When I acknowledge the push notification, in no time at all, a screen appears on my phone asking me to verify my 4

authentication by simply touching Approve on my phone screen. It is an extremely fast and painless process. I have had absolutely no problems with MFA and am still able to access applications in a timely manner. I wish all pilots went this smoothly. " - - - Shelley Gupta, CFAO, Computing and Communications "UC Riverside s implementation of MFA has already become a integral part of the defense in depth strategy for campus users and resources. Our security teams spend considerable time dealing with compromised credentials and MFA is a new defense layer to combat these issues. The MFA implementation provides the critical enhancement of security for users without sacrificing usability and functionality of campus services. It has truly been a commendable implementation. - - - Nick Turley, Manager of IT Security, Computing and Communications Timeline May 2013 June 2013 August 2013 September 2013 October 2013 March 2014 Project Initiation Evaluation and selection of solution Integration with CAS completed Enrollment portal completed Production Pilot begun with Computing and Communications staff MFA deployment planning and phased deployment to campus Team Members Computing & Communications Michael Kennedy, Enterprise Architect Stephen Hock, Manager of Identity Management, Infrastructure and Security Jonathan Ocab, Systems Analyst, Infrastructure and Security Andrew Tristan, Associate Director, Infrastructure and Security Russ Harvey, Director, Infrastructure and Security Submitted By Michael Kennedy Enterprise Architect Computing & Communications michael.kennedy@ucr.edu (951) 827-4875 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information