Evolving Strong Authentication at The University of Arizona



Similar documents
STRONGER AUTHENTICATION for CA SiteMinder

ADDING STRONGER AUTHENTICATION for VPN Access Control

Why SMS for 2FA? MessageMedia Industry Intelligence

Multi-Factor Authentication FAQs

Multi- factor Authentication Initiative

CAMPUS EXPERIENCES USING NET+ TRUST, IDENTITY, AND SECURITY SERVICES

Modern two-factor authentication: Easy. Affordable. Secure.

Facebook s Security Philosophy, and how Duo helps.

Enhancing Organizational Security Through the Use of Virtual Smart Cards

The Authentication Revolution: Phones Become the Leading Multi-Factor Authentication Device

Guide to Evaluating Multi-Factor Authentication Solutions

Adding Stronger Authentication to your Portal and Cloud Apps

Using Entrust certificates with VPN

An Overview of Samsung KNOX Active Directory and Group Policy Features

A brief on Two-Factor Authentication

1 Introduction Product overview Product description System requirements Software support... 7

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

RSA SecurID Two-factor Authentication

Strong authentication of GUI sessions over Dedicated Links. ipmg Workshop on Connectivity 25 May 2012

Canadian Access Federation: Trust Assertion Document (TAD)

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION

Keeping your VPN protected

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

How to reduce the cost and complexity of two factor authentication

I m getting MFA, you re getting MFA, we re ALL getting MFA. Richard Biever (richard.biever@duke.edu) Chuck Kesler (chuck.kesler@duke.

Securing your Juniper SSL VPN with two-factor authentication.

Lync SHIELD Product Suite

Out-of-Band Multi-Factor Authentication Cloud Services Whitepaper

Cisco AnyConnect VPN for: Windows 8

Deploying Smart Cards in Your Enterprise

Connectivity in Primary Care Practices

Security Considerations for DirectAccess Deployments. Whitepaper

ESET Secure Authentication

Two-Factor Authentication

InCommon Affiliates Webinar May 21, 2014

Securing Virtual Desktop Infrastructures with Strong Authentication

Multi-Factor Authentication, Assurance, and the Multi-Context Broker

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition

PortWise Access Management Suite

User Identity and Authentication

Integrating Multi-Factor Authentication into Your Campus Identity Management System

Multi-factor Authentication Considerations for InCommon Silver. Mary Dunker Virginia Tech InCommon Confab April 26, 2012

Entrust IdentityGuard Comprehensive

Executive Summary P 1. ActivIdentity

BUILDING SECURITY IN. Analyzing Mobile Single Sign-On Implementations

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

Enterprise Portal Built by and for Higher Education

A Symantec Connect Document. A Total Cost of Ownership Viewpoint

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Token-less OTP Authentication Solutions

Two-Factor Authentication Evaluation Guide

ProtectID. for Financial Services

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

Upgrading to Duo Authentication VPN A Guide for Users of RAMS Systems

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

Strong Authentication for Secure VPN Access

Enhanced Single Factor, 2 Factor & Multi-Factor Authentication Solutions

Consumer Web Portals: Platforms At Significant Security Risk

Contextual Authentication: A Multi-factor Approach

RSA Solution Brief. RSA & Juniper Networks Securing Remote Access with SSL VPNs and Strong Authentication. RSA Solution Brief

Top 5 Reasons to Choose User-Friendly Strong Authentication

Technology Showcase Theatre

Interlink Networks RAD-Series AAA Server and RSA Security Two-Factor Authentication

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology

Reaching the Tipping Point for Two-Factor Authentication

PortWise Access Management Suite

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

The University of Texas Rio Grande Valley. Network Security. Create a Virtual Private. Network (VPN) Connection. Network Security How-to:

WHITEPAPER. 13 Questions You Must Ask When Integrating Office 365 With Active Directory

Microsoft Enterprise Mobility Suite

Proposal Document TitleDocument Version 1.0 TitleDocument

Authentication Solutions Buyer's Guide

RSA SECURITY SOLUTIONS. Secure Mobile & Remote Access

Securing the Connection with Remote Users Leveraging Strong Authentication and VPNs to Secure Access to the Enterprise

Access the UTHSCSA Palo Alto Networks (PAN) VPN using Global Protect VPN client and Two Factor Authentication (2FA)

HallPass Instructions for Connecting to your Campus PC Using the ipad

ACCESS MANAGEMENT UTILITY SERVICE via SECOND FACTOR AUTHENTICATION (2FA)

Transcription:

Evolving Strong Authentication at The University of Arizona Gary Windham Senior Enterprise Systems Architect The University of Arizona, UITS gary.windham@arizona.edu

Where are we today? credential strength has been a key concern for many years now: o UA requires NetID passwords to be changed at least every 360 days o password lockout measures predicated on protecting against brute-force online attack o does nothing to protect against interception of credentials

Accep0ng the bi5er truth growing realization on campus that password-only authentication is rapidly approaching non-viability despite (rather unpopular) password strength policies, passwords continue to be compromised o keyloggers o hashed passwords stolen in breaches of popular sites o shoulder surfing o sharing passwords

Accep0ng the bi5er truth (cont.) the perfect storm: o sophistication of password cracking methodologies and tool sets have increased dramatically over the last several years o the price/performance ratio of commodity dedicated computational hardware (GPUs) has dropped considerably over that time as well o the number of social/saas sites the majority of which maintain their own account registries has exploded

The end game... Now, if we consider that sensitive data (i.e., information that falls under the purview of FERPA, HIPAA, PCI, not to mention research data) and administrative functions in key enterprise systems are:... frequently secured via a single-factor, passwordbased authentication mechanism... and your users, like most of us, use a variety of social networking, shopping, and other online services...... and that the average web user maintains 25 accounts, but uses only 6.5 passwords across them... well, you can connect the dots :)

UA's experience with 2FA UA has used two-factor authentication for several years, in very limited, specific scenarios o RSA SecurID o OTP schemes (OPIE, etc) every few years, we would take another look at doing 2FA on a broad scale, using various technologies (smart cards, USB tokens, etc) o not cost-effective on a large scale o substantial operational/administrative overhead o not palatable to a non-technical audience

Why Duo, why now? UA has had some serious breaches due to compromised passwords over the past few years Duo Security, through their partnership with Internet2/ InCommon, dramatically lowered the barrier of entry for campus-wide 2FA o leverage the near-ubiquity of smart phones and mobile devices on campus o cost-effective on small or large scale o significant degree of affinity with OSS

Making the case general approach has been for UITS to lay the groundwork via the following steps: o prototyping/proof-of-concept o investing in the technology o adopting it internally for some centrally-managed services/enterprise systems o making it easy for campus IT staff to utilize o making a compelling case for adoption

Rolling- out 2FA w/ Duo initially deployed to groups within University Information Technology Services for testing our Systems Administration group secured access to their bastion hosts and Windows Domain Controllers with Duo our Network operations team used Duo's Cisco ASA VPN integration to add 2FA to several VPN profiles

Rolling- out 2FA w/ Duo (cont.) Integrated Duo with our campus web SSO environment o UA uses both JA-SIG CAS and Internet2 s Shibboleth o needed to integrate Duo with both CAS and Shibboleth, allowing Duo to be used across both o developed solution based on Unicon s cas-mfa CAS server overlay, combined with Jim Fox s (University of Washington) Shibboleth Remote Login Handler extension for 2FA added per-user and per-service mfarequired attribute allow services to require 2FA for only specific LDAP groups (managed via Grouper)

Rolling- out 2FA w/ Duo (cont.) Deploying to community at-large o branded NetID+ o outreach: o o o o articles in employee newsletter and Daily Wildcat communications to various campus listservs endorsement from ISO presentation to various campus groups (NetManagers, UA Web Developers, etc) o developed self-service portal for enrollment, device management, fallback mechanisms ( lifelines, bypass codes ), etc. o provided end-users the ability to require Duo authentication when signing in to any services using campus SSO, even if service provider doesn t require MFA ( Global NetID+ )

Support & Logis0cs self-service portal intended to be primary vector for support Provided support tools to our help desk staff: o can see if user has enrolled one or more devices in NetID+, and if opted-in to Global NetID+ o opt-out user from Global NetID+ o generate bypass codes for user FAQs & tutorial videos for end users and service providers

Adop0on As of 2014-05-14 09:48 MST: o 1592 distinct users have logged-in to self-service portal o 444 users have registered at least 1 device o 571 devices registered o 107 users have enabled Global NetID+ o Duo Push (via the Duo Mobile app) is by far the most popular mechanism 2:1 over all other methods combined FAQs & tutorial videos for end users and service providers

Thank You! Q & A?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information