1. Duo UI Demo Christopher Bongaarts

2. CONTEXT/MOTIVATION Two-factor auth already in use –“M Key” – Safeword Silver tokens, Safeword PremierAccess software –Implemented in 2007 –Tokens became prohibitively expensive –Software upgrade with platform change required for new tokens Enter Duo –NET+ pricing very attractive –User choice of 2 nd factor – flexibility –Strong security pedigree

3. CONTEXT/MOTIVATION The Catch –Admin interface lacks granularity, delegability –No end-user self-service interface (recently rectified)rectified The Silver Lining –Admin and Auth APIs covering almost everything you could wantAdminAuth –UI integrates with existing “account options” and “helpdesk” sites –Fits in nicely alongside password change, etc. –Already familiar to users, helpdesk staff

4. OVERVIEW - USER Enrollment –Data security staff receive access request (existing process), mark user Eligible to Enroll –User visits account options site, chooses “Enroll in Duo” –User is marked Active in Duo, sent to Duo enrollment page Authentication –Shibboleth – added hooks to Web API from custom login handler –LDAP gateway for Peoplesoft –RADIUS gateway for VPN, some UNIX integrations Management –User has “Manage Duo Devices” link on account options site –Shows current status, devices –Add, reactivate, reorder, remove devices

5. OVERVIEW – HELPDESK STAFF View user’s Duo status, devices (off-campus phones masked) Enable passcode retrieval, with one passcode to start Remove devices Data security has extra privileges: –Set Duo status –Add and remove devices (including tokens) –Enable passcodes with different parameters

6. DEMO Demo of interfaces

7. QUESTIONS/CONTACT Q&A Contact info: –Christopher Bongaarts –cab@umn.educab@umn.edu –+1 (612) 625-1809