Multi-‐factor Authentication Initiative
"UCR’s Multi-‐factor Authentication Initiative is an easy-‐to-‐use solution to our need to
secure our campus community’s credentials. The Duo Security system that we
integrated with our campus single sign-‐on infrastructure is more flexible and easier to
use than technologies we previously tested. Duo’s broad range of options for entering
an additional authentication factor ensure that the full spectrum of our user base will
be able to take advantage of this enhanced security. I believe this is a best-‐in-‐breed
implementation of multi-‐factor authentication.”
-‐-‐-‐ Bob Grant, Executive Director and CTO, UCR Computing and Communications
Campus Impact
UC Riverside’s implementation of a multi-‐factor authentication (MFA) initiative has provided the campus with a huge leap forward in network security that is easy to adopt by members of the campus community, since it relies on devices (e.g. smartphones) they are already familiar with. Since it is integrated with the campus single-‐sign-‐on infrastructure (CAS), it is a smooth extension to the authentication processes they already use.
Business Need
UCR has made a strategic investment during the past decade in identity management and a single sign-‐on infrastructure that leverages Jasig’s Central Authentication Services (CAS). All members of our campus community use their credentials (a UCR NetID and password) through CAS to access
web applications and databases. Many of these have increased security requirements because they incur financial obligations and access personally identifiable information (PII) in human resource or student records.
This highly integrated authentication and authorization infrastructure is placed in the context of an almost daily onslaught of phishing messages, viruses and network probes that seek to steal the credentials of staff, faculty and students. Consequently there is a clear business need to mitigate the risk of a breach associated with the accidental or purposeful divulging of credentials in a manner that easily integrates into the well-‐established authentication and authorization channels currently being used by campus (CAS).
UCR’s implementation of a multi-‐factor authentication (MFA) initiative based on the Duo Security system and customized to integrate with CAS meets this need since it requires two authentication factors, a password followed by the use of a smartphone or token that can’t be divulged in a phishing attack or via other means.
Highlights
• Evaluation of Duo Security vs. “in-‐house” developed TOTP MFA solution.
• Development of reusable modules for integrating Duo Security based multi-‐factor authentication with a Central Authentication Services (CAS) single sign on system. • Development of a user portal for self-‐management of devices used for authentication
(e.g. phones. hardware tokens, and cell and land-‐line phone numbers).
The Process: Technology and Implementation
Evaluation
The initial evaluation phase began with a process that involved identifying factors to rate potential multi-‐factor implementations. Ten different factors were identified:
Evaluation Factor Description
Integration with CAS Can the product integrate with the campus CAS implementation? Integration with
Windows/AD Can the product integrate with Active Directory (Windows) based authentication? Application specific
passwords
Can users set passwords for applications that cannot easily be made to use multi-‐factor authentication such as email.
Highly available Is the product highly available and redundant? Monitorable Can the product be easily monitored for outages?
Multi-‐channel capable Do users have the option to use several different types of devices for authentication? (smartphones, tokens, SMS)
Multiple classes of users Can users be classified into groups such as administrators, financial system transactors, etc.?
Ability to opt-‐in/opt-‐out Is it possible to opt-‐in a subset of users to begin a pilot? Campus VPN integration Can the product integrate with the campus Cisco VPN? Integration with SSH Can the product be used to require multi-‐factor when
After some initial research five products were identified for initial evaluation using the evaluation factors: Duo Security, PhoneFactor, Toopher, Authy, and SecureAuth. Additionally an “in-‐house” developed solution based on time-‐based one-‐time passwords (TOTP) was added to the list.
Evaluation Factor Duo PhoneFactor Toopher Authy SecureAuth TOTP
Integration with CAS ✔ ✔ ✔ ✔
Integration with Windows/AD ✔ ✔ Application specific passwords ✔ ✔ Highly available ✔ ✔ ✔ ✔ ✔ Monitorable ✔ ✔ ✔ ✔ ✔ ✔ Multi-‐channel capable ✔ ✔ ✔ ✔ ✔
Multiple classes of users
✔ ✔ ✔
Ability to opt-‐in/opt-‐ out ✔ ✔ ✔ ✔ Campus VPN integration ✔ ✔ Integration with SSH ✔ ✔
Based on the initial evaluation, two solutions, Duo Security and the TOTP solution were chosen for further evaluation.
Selection
Ultimately, the selection of Duo Security over the “in-‐house” developed TOTP solution hinged on the number of authentication channels available out of the box. While the TOTP solution could rely on a smartphone product like Google authenticator, or a token, Duo offered a rich set of smartphone applications that performed push authentication requests that made it easier to use.
Implementation
The implementation thus far of multi-‐factor authentication consisted of two parts, first writing the code to integrate Duo Security with CAS and second developing a portal utilizing Duo Security APIs for the users of MFA to enroll and manage smartphones and tokens.
CAS Integration
The Duo Security product comes with a number of integrations, but CAS is not one of them.
Fortunately the CAS architecture allows extensions to add new authentication types. At a high level several things needed to be added or changed in CAS:
• The Spring web flow was altered to show a second authentication screen for Duo if the user was opted into MFA and the application being accessed allowed or required MFA.
• Spring web flow action beans were added to connect to the Duo Security web services and perform the second authentication for a user (send a push notification to Duo Mobile, verify a passcode generated by a token, etc).
• The CAS security context was extended for an authenticated user so CAS could keep track of whether a CAS ticket granting ticket was generated using only a username/password (one factor) or username/password plus a Duo Security authentication (two factors).
• Added code to query the attributes in the CAS services registry to determine if a particular application requires MFA or not.
UCR has placed the code to integrate with CAS in an open-‐source repository and has already had inquiries from two other universities regarding our implementation.
Multi-‐factor Authentication Enrollment Portal
Duo Security does not offer a customizable branded enrollment portal for users but does offer a rich set up APIs for building such a solution. UCR opted to build a customized portal utilizing these APIs to facilitate enrollment and subsequent profile management. This application, written using the Grails framework has several features:
• A step-‐by-‐step wizard to walk a user through enrolling in MFA for the first time.
• Once enrolled, the ability to add/remove smartphones and tablets that are running the Duo Security mobile app.
• Once enrolled, the ability to add/remove hardware tokens such as a Yubico YubiKey. • Ability to request several single use passcodes in the event the enrolled smartphone/token
is unavailable. Implementation Flexibility
UCR’s implementation allows applications to flexibly configure their MFA requirement based on a number of attributes. The most secure level to be utilized once MFA is rolled out extensively on campus is to require MFA of every user of the application. This would require a user to be setup for MFA before using the application the first time. Current applications enabled for MFA only require it for users who have enrolled in MFA production pilot. Other applications may choose to not require MFA at all. Our campus portals and about 20 other applications currently utilize MFA for all enrolled users.
Testimonials
“I’ll admit, when it was proposed that I pilot the new multi-‐factor authentication tool, I was
worried that it was going to take longer to access campus applications and because I am a
“non-‐techy,” using MFA would not be easy. I was pleasantly surprised to find out my
experience was the exact opposite. The Duo Security application was easy to install on my
iPhone and it is extremely user friendly. As soon as I try to log on to any campus application or
the R’Space portal, a push notification is sent to my iPhone. When I acknowledge the push
notification, in no time at all, a screen appears on my phone asking me to verify my
authentication by simply touching “Approve” on my phone screen. It is an extremely fast and
painless process. I have had absolutely no problems with MFA and am still able to access
applications in a timely manner. I wish all pilots went this smoothly. "
-‐-‐-‐ Shelley Gupta, CFAO, Computing and Communications
"UC Riverside’s implementation of MFA has already become a integral part of the defense in
depth strategy for campus users and resources. Our security teams spend considerable time
dealing with compromised credentials and MFA is a new defense layer to combat these issues.
The MFA implementation provides the critical enhancement of security for users without
sacrificing usability and functionality of campus services. It has truly been a commendable
implementation.”
-‐-‐-‐ Nick Turley, Manager of IT Security, Computing and Communications
Timeline
May 2013
Project Initiation
June 2013
Evaluation and selection of solution
August 2013
Integration with CAS completed
September 2013
Enrollment portal completed
October 2013
Production Pilot begun with Computing and Communications staff
March 2014
MFA deployment planning and phased deployment to campus
Team Members
Computing & Communications
Michael Kennedy, Enterprise Architect
Stephen Hock, Manager of Identity Management, Infrastructure and Security Jonathan Ocab, Systems Analyst, Infrastructure and Security
Andrew Tristan, Associate Director, Infrastructure and Security Russ Harvey, Director, Infrastructure and Security
Submitted By
Michael Kennedy Enterprise ArchitectComputing & Communications University of California, Riverside [email protected] (951) 827-‐4875
