![Page 1: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/1.jpg)
Deploying Two-Factor Authentication to 45k Users
Bryan WootenRachael Sheedy
Brandon Gresham
![Page 2: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/2.jpg)
Two-Factor Authentication (2FA)
![Page 3: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/3.jpg)
The Beginning• NSTIC Grant• https://spaces.internet2.edu/display/scalepriv/Scalable+Privacy• Funds used to hire consultants to modify SSO– Central Authentication Service (CAS)• Apereo CAS
– Under $100k
![Page 4: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/4.jpg)
The Environment
![Page 5: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/5.jpg)
Pilot Rollout• Staggered rollout to IT and HR employees• Built Duo Self-Service App– Original source code from University of Chicago– Forks from University of Utah
• Public: Helpdesk component (generate bypass-code)• Private: integrations, UI/UX, improved operational
support, bug fixes & policy-enforcements, automations
![Page 6: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/6.jpg)
Self-Service App
![Page 7: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/7.jpg)
Project Scope• Applications–150+ SAML (Shibboleth) / Cloud (Canvas)–600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby)
• All Current Employees–Includes student employees• All users accessing VPN and clinical servers• Offshore Vendors
![Page 8: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/8.jpg)
Two 2FA Services
Offshore vendors for University Medical Billing and Revenue Billing
Providers using e-Prescribe
Remote Access to Clinical Servers Remote Access to Campus Servers
Remote Access via Citrix Access Gateway
Remote Access via Clinical and Non-Clinical VPN
All applications protected by CAS-WEB
![Page 9: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/9.jpg)
Communications Plan• Targeted emails• Newsletter & website announcements• Dedicated 2FA website•Modal announcement on employee page• Employee appreciation day booth• Numerous meetings with governing and leadership groups• And, a tagline…
![Page 10: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/10.jpg)
![Page 11: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/11.jpg)
The Aftermath…
89%
11%
Total employee 2FA enrollment
Enrolled Unenrolled As of 2/27/2017
-
100,000
200,000
300,000
400,000
500,000
600,000
700,000
Oct Nov Dec Jan
Monthly Duo 2FA Authentications
As of 2/9/2017
*As of Feb 2017
![Page 12: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/12.jpg)
…Continued…• Top reasons for helpdesk calls:–Step-by-step support–Need bypass code–RSA or Duo?• Significant increase in helpdesk call volume after implementation–Primary reason was procrastination
![Page 13: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/13.jpg)
Lessons Learned• Executive buy-in!!–Canvas pushback• Engage dept IT leaders for support• Start with a pilot rollout• Testing center issues: Whitelist!• Provide self-service
![Page 14: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/14.jpg)
Live Demo
![Page 15: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/15.jpg)
[email protected]@utah.edu
Original source code from University of Chicagohttps://github.com/uchicago/duo-registration
Fork from University of Utahhttps://github.com/bane73/duo-registration
Thank You!
![Page 16: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/16.jpg)
Appendix
![Page 17: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/17.jpg)
![Page 18: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/18.jpg)
![Page 19: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All](https://reader030.vdocuments.mx/reader030/viewer/2022040202/5e6eb852e201c069f44173db/html5/thumbnails/19.jpg)