Multifactor Authentication: Reporting from the Field (236876847)

8/11/2019 Multifactor Authentication: Reporting from the Field (236876847)

http://slidepdf.com/reader/full/multifactor-authentication-reporting-from-the-field-236876847 1/23

MultifactorAuthenticationReport From the Field

Why Multifactor?

Passwords are not enough

User education about phishing and other social

engineering attacks - not completely effective

Consequences of breaches becoming more severe (fines,

ID protection costs, reputation damage, legal and

forensic costs)

Multifactor is currently the most effective defenseagainst compromised accounts

Multifactor Requirements

Secure

Easy to use

Platform agnostic

Flexibility regarding second factor (not everyone has a

smart phone)

Administrative and support overhead can be managedwith current staff

The Real Challenge

How to sell multifactor to your institution…

Get buy-in from the top

Know your selected product inside and out

Have a communications plan and create opportunities togive presentations in front of as many campus groups as

possible

Be prepared with easy to use self-service documentation as

well as knowledgeable phone support backup

Field Report: Medical University of

South Carolina

Academic medical center

2,500 students and 10,000 faculty and staff

Relentless phishing attacks were resulting incompromised accounts (email and VPN)

Initial focus on increasing user awareness, and on early

detection and containment

Spring 2012: two-factor evaluation and feasibility

testing

Strategy and Policy

Summer 2012: Proposed new policies

Two-factor authentication required for remote access to

sensitive systems

Mobile device management Including BYOD devices if used to access institutional systems

(including email via ActiveSync)

Policy vetting: Presidents Council, Deans, Faculty

Senate, Medical Center leadership…

Oct 2012: SC Department of Revenue

Breach

Leadership: Make It Happen

Draft policies and standards approved

Vendor selection consummated

Two-factor: PhoneFactor

MDM: Zenprise

Project teams organized

Joint project communications

MUSC: 2 Factor Rollout Plan

April 2013: 250-person Pilot for IT Staff

What we learned: more communications!

August: Hire 5 interns/temp personnel

Support/Enrollment Tables

• August-‐October: Massive Communications Push

• October 1: “Cut-‐off” date

• Post Go‐Live: Support Minimal

Communications

1000 Signs across campus

Focus Groups Catalyst Article

Facebook Page

MUSC Website Page Tech Fairs/ Student Fairs

MDM/2FA Websites

All Staff Emails

Over 100 presentations to different

on‐campus groups

iPad Mini Giveaway

Posters & Banners

Help Tables

Newspaper Articles

Surveys & Focus Groups

Surveys

Random survey to 10 students on campus:

Do you know what Mobile Device Management is?

0 out of 10 knew what it was. Do you know what 2 Factor Authentication is?

1 our of 10 knew what it was.

Focus Groups

Non-‐Technical Users

Started with 35 Page Instructions

Ended with 1 Page Front and Back After Focus Groups

Email Campaign

All-Staff Email

From President of MUSC

All-Staff emails every week for 4 weeks

Targeted Emails

To Non-‐compliant users

5 per week for 4 weeks

All Staff Email for Final Days

Non‐compliance emails: Auto-‐Generated

Presentations Over 100 Presentations

Individual Administrators

Department Heads

All-Staff Meetings

Town Hall Meetings

“VIP” One-‐on-‐one Sessions

Lots of push back at first

“This isn’t going to happen”

“No way I’m doing this”

“Why do we have to do this?” Use Compliance in these cases

Lessons Learned

KNOW the products.

Inside and Out

Have Focus Groups Before You Start

Have examples Ready 2 Factor Demo

Make sure they know, they can’t get out of

Train your Support Staff

Lessons Learned: Continued

Make sure you get approval at the top first.

Plan on backlash.

Prep Legal and Compliance and give them form emails for

responses.

Be readily accessible through dedicated email address,

phone, etc.

Get it done. Don’t put off deadline.Users will sign up if they have to.

Field Report: Northern Arizona

University

26,000 students, 3,500 faculty and staff

Previous two-factor limited to small number of sys

admins and developers (using RSA fobs or software

tokens)

Direct Deposit attack fall of 2013 led to approval for

broader multi-factor use

Review of available products led to selection of DUO asmultifactor solution

Progress

Test instance of DUO up and running

VPN replacement project launched (switching from MS

PPTP to Cisco AnyConnect)

Project buy-in from President and Cabinet

Information Security Committee selected as Stakeholder

group representing all areas, students, faculty, and staff

Currently defining levels of assurance (including vetting

strategies for each level) and identifying which

resources will be protected

Poster Child for Project Management

Push to establish a PMO within ITS – currently have two

staff members

Multifactor project one of our first projects to take

advantage of the new PM structure

Hoping to avoid mistakes of the past including

communication problems and neglecting to get input

from campus stakeholders

Multifactor Authentication: Reporting from the Field (236876847)

Documents

Transcript of Multifactor Authentication: Reporting from the Field (236876847)

Powerful multifactor authentication through fingerprint ...

The Password Is Dead: An Argument for Multifactor Biometric Authentication

Using RD Gateway with Azure Multifactor Authentication … · Using RD Gateway with Azure Multifactor Authentication We have a client that uses RD Gateway to allow users to access

SAMS Domestic Quick Tour: Multifactor Authentication from ... · a 2-Factor Authentication page. 2. Click the refresh icon to generate a new authentication code. 3. Memorize or copy

Multifactor Authentication in ONTAP 9 - NetApp · Technical Report Multifactor ... Claim rules. Claim rules provide ... MFA for local and network access to privileged accounts and

MULTIFACTOR AUTHENTICATION WITH FORTITOKEN & … Info-Byte... · FortiToken 200 series performing a TOTP generation for Multi-Factor Authentication (MFA) ... Next-gen Firewall (NGFW)

Configuring Kerberos Authentication in a Reporting ...download.microsoft.com/.../SSRSKerberos.docx · Web viewManage Kerberos Authentication Issues in a Reporting Services Environment.

Multifactor Authentication for Business Banking Customer Platform: Certification Webcast for Security Code Laura Sund Martin Digital Insight University.

Using RD Gateway with Azure Multifactor Authentication€¦ · Using RD Gateway with Azure Multifactor Authentication We have a client that uses RD Gateway to allow users to access

Hacking Multifactor Authentication

MultiFactor - CSADay 2015cd-docdb.fnal.gov › cgi-bin › RetrieveFile?docid=5609&... · Multifactor authentication technologies • Security tokens: Small hardware devices such

Are Passwords Passé? Deployment Strategies for Multifactor Authentication (242304904)

“Evaluate the strength of online authentication methods”delaat/rp/2007... · Multifactor authentication • One-Factor Authentication • Two-Factor Authentication ... • Graphical

MultiFactor Authentication and Shibboleth IdPv3...MultiFactor Authentication and Shibboleth IdPv3 New flexibility, same old questions Etienne DysliMetref etienne.dyslimetref@switch.ch

Multifactor Authentication Installation and Configuration ... _ESS_Installation_Configuration_QS… · ESS portal is configured with https, create a https installer. 5. ... Multifactor

Custom Research MULTIFACTOR AUTHENTICATION AND … fileabiresearch.com AMERICAS: +1.516.624.2500 ASIA-PACIFIC: +65.6592.0290 EUROPE: +41.022.732.33.15 Custom Research MULTIFACTOR AUTHENTICATION

Multifactor Authentication Approaches and … Authentication Approaches and Multifactor for InCommon Silver ... 1.5 million password hashes! ... students who forgot their passwords

Topic: Multifactor Authentication - SecureITsecureit.com/resources/WP_HIPAA_HITECH_CMS_final_072811.pdfTopic: Multifactor Authentication ... The CMS has delegated authority to enforce

Opus Research Voice Biometric Conference · Multimodal Authentication 9 • Higher security levels through multiple authentication modalities and multifactor authentication • Customer-focused

MULTIFACTOR AUTHENTICATION SOLUTION - MULTIFACTOR... · in response to this RFP. The legal entity who signs and submits the bid and the Earnest Money Deposit. 2. ReBIT/ Purchaser