1 / 22

Multi-factor Authentication Jacob Farmer (jpfarmer@iu)

Multi-factor Authentication Jacob Farmer (jpfarmer@iu.edu). INDIANA UNIVERSITY. University Information Technology Services. For most of “IT History,” phishing as generally been sort of a smash-and-grab affair. Steal credentials to get software, journal articles, spam some more….

tbooker
Download Presentation

Multi-factor Authentication Jacob Farmer (jpfarmer@iu)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multi-factor AuthenticationJacob Farmer (jpfarmer@iu.edu) INDIANA UNIVERSITY University Information Technology Services

  2. For most of “IT History,” phishing as generally been sort of a smash-and-grab affair.Steal credentials to get software, journal articles, spam some more…

  3. Day 1 - First Phishing Message Received

  4. Day 14 - Phishing Messages Blocked Dozens of different distinct messages • Dozens of variations sent to over 12,000 IU users (mostly faculty and staff). • Stopped on Day 14 by blockingg using a low-sophistication method Links constantly changing to different domains

  5. Days 33-39 - Fraud Detected University Information Policy Office receives first report that paycheck had been redirected (no financial loss in the end). Forensic analysis reveals over 800 users had entered credentials (while on IU network) and/or had their personal financial info viewed by known bad IP addresses. UITS scrambles passwords of all 800+ affected users. All compromised accounts had received variant phishing messages, and those recipients who had their pay data changed were among those who had provided credentials to the bogus site. IU notifies users, Indiana State Attorney General, FBI.

  6. Days 40-48 - Communications IU Chief Security Officer sends message to all 12,000 users who had received initial phish, urging them to change their passwords. IT Communications Office sends special newsletter to all 150,000+ faculty, staff, students, affiliates devoted to dangers of phishing, and tools to guard against it. CIO personally emails all IU accounts. Despite communications, by day 54, an additional 75+ users have had accounts compromised.

  7. Days 54-59 – New Security Measures IU suspends self service access to Employee Center where W2, Direct Deposit, and benefits information is stored W2 Employee center re-opened and requires users to have two-factor authentication (2FA) using Duo W2 No additional compromised accounts detected since 2FA requirement began.

  8. “We are working hard to re-balance convenience with essential controls as our community does the work of IU, and we have taken the deliberate decision that the situation compels that we trade off some long-enjoyed convenience for greater security.” – Vice President of IT and CIO Brad Wheeler

  9. 150k active users (253k total) 1M+ successful authentications per week 299k authenticators provisioned; mostly phones, but a lot of hardware tokens ~800 U2F tokens How big did Duo get?

  10. Duo push around 60-65% Passcode around 10-11% SMS about 57% Voice about 20-21% Bypass is a small, predefined group of users What kind of authenticators?

  11. An obvious question: what happens when folks are locked out of Duo and they can’t get to a campus? Less obvious answer: how do you fix it? This one is hard, start working on it early. Remote recovery

  12. IU has a strong institutional memory regarding tokens (currently 30,000+ imported to Duo) We initially began procuring tokens directly from Duo Moving to a direct purchase has been overall a really good business decision, except… …the supply chain challenges are really tricky. Tokens, a supply chain, and…

  13. Tokens are made to order for us, which means they are fresh (no ‘shelf aging’!) and programed to our specifications. Made to order means lead time…and carefully evaluating where that lead time falls into the production schedule. Varies from 2 to 6+ weeks. The “right call” assuming you can manage it Tokens, a supply chain, and Chinese New Year

  14. What do we do when our authenticators are prohibited by policy, but the policy isn’t ours to change? Get a code before you go into the test, write it down on scrap paper, then give it to the proctor. A Testing Center Conundrum

  15. The original IU philosophy on “remember me” is that it is philosophically wrong to do it. While philosophically wrong, is it operationally wrong? We progressed from 12 hours, to 24 hours, to 7 days with few ill effects so far. There are advantages and challenges to this approach Remember me, remember you, remember when?

  16. “If the internet is down, we have bigger problems than Duo.” At the time we acquired Duo, repeated and/or sustained service outage was considered an extreme edge case that didn’t get much attention. That worldview, unfortunately, has changed. What do we do now? What if Duo isn’t there?

  17. Challenge: very evident Solution: very not-evident Cisco purchase: better or worse? How tightly are we locked in?

  18. Multi-factor AuthenticationJacob Farmer (jpfarmer@iu.edu) INDIANA UNIVERSITY University Information Technology Services

More Related