UA NetID+

Date: 
Wednesday, August 13, 2014

No announcements

Introduction of leadership team members: M. Hagdon, M. Harmon, J. Santos, L. LePere

Presentation – NetID+ from service provider point of view.
Gary Windham, systems architect at UITS.

NetID+ is 2 factor authentication: something you know and something you have. Currently optional. 700 people have subscribed so far. Will gain traction when app developers require it.

Why it’s important: average user has 25 accts but just 6.5 passwords. 2 out of 3 breaches exploit weak or stolen passwords. Increased computer power makes cracking passwords practical at low cost, even if a limited number of tries locks out user for a period of time. Last year there was a breach in UAccess Employee for a few targeted employees where payroll routing information was changed.

University contracting with Duo Security. Solution addresses a spectrum of use cases (different devices with different capabilities including feature phones, phones with no SMS, even no device).

Any app using WebAuth or Shibboleth can easily require NetID+. Shibboth requires configuration snippet. The request form to set up WebAuth includes MFA (multi-factor authentication) option. If not using WebAuth or Shibboleth, Duo Security has prebuilt modules for many different architectures. Search for Duo Security on Github. There’s also a list of plugins on their website.

Can turn on globally for the entire app or select group(s) of users. If global, all users will have to register for NetID+. Grouper software allows developers to create groups in EDS.

NetID+ user can select global usage. Global from the user side means any app using WebAuth or Shibboleth will require NetID+ to log into even if app developer has not incorporated it.

Demo of login with NetID+ using smart phone Duo Push:

After supplying regular NetID password a second screen is shown with several options for the second factor. Selecting “Duo Push” causes app on smartphone to alert user that login was attempted. With app on phone user selects OK and login is complete.

Can also deny login on device. If denying, user must choose a reason: "seems fraudulent" or "mistake." Choosing “seems fraudulent” sends email to admin (Gary not the admin of the app).

Enrollment process: User logs in with NetID and clicks Enroll. After enrolling user can add device(s). Smartphones and tablets require Duo Mobile app  already installed (available for iOS, Android, Palm, Blackberry, Windows phone, Symbian). Camera on device is used to scan a QR code from NetID+ website to complete account setup for mobile app.

Other options for second factor.

  • Print bypass codes from NetID+ website (10 single use codes to print and take with you; they don’t expire).
  • Set up “Lifelines”: register voice or text phone of someone you trust and have a pre-arranged way for them to get it to yout.
  • If you have the app on a device but it’s not connected, the app can provide onetime use passcode.

There are FAQs and videos for users and developers on the UA NetID+ website.

Using Grouper to set up group(s) required to use NetID+:
UITS has been using Grouper for 4 or 5 years mostly for UA courses. They've developed a UI for managing groups in the SIA apps portal. Groups are organized into categories called “stems.” To add people to a group in the UI you can search for person name and drag and drop into group. There is also a web service or you can drag and drop a csv file. Within 5 minutes the group will be in EDS.

Q: Possible to set up NetID+ only from unidentified IP, etc.?
A: Technically: yes. Policy: probably not going to happen.

Q: How does it work with VPN?
A: There is Cisco plugin. Asks for second password: you can use a passcode generated by app, have it call on any phone line, or type in push to use mobile app on device.

Q; How do you configure for custom roles within Drupal?
A: Create a group in Grouper with the same members as your Drupal role. NetID+ Doesn’t confer privileges for that person in Drupal site, that’s handled by Drupal.

Q: Is there an existing naming convention for stems in Grouper?
A: If for college or department there is already a stem for each of those. Soon will be pushing groups from catnet into Grouper.

Q: What if you want a group for everyone in certain department codes?
A: Use Grouper web services. Add a Grouper Admins group and set it up to use EDS. Use PHP script to add users. Lots of different input and export formats. You can set up a periodic cron job to search EDS for people with certain characteristics.

Q: For groups coming from catnet, can members see the other members of the group?
A: Yes.

Meeting recording at: https://sas.elluminate.com/p.jnlp?psid=2014-08-13.1454.M.17D6735E362A6803CBAE1FE869B829.vcr&sid=2009207

Gary’s Prezi is at http://prezi.com/tr_udpoypudm/?utm_campaign=share&utm_medium=copy

The NetID+ self-service enrollment/management site is at https://webauth.arizona.edu/netid-plus

The SIA Apps portal (where you can register/manage WebAuth, Shibboleth, EDS, Grouper) is at https://siaapps.uits.arizona.edu