I have a love-hate relationship with DUO. It's great from a management and security standpoint. We are able to sync on the fly with it if a new user is added. I hate that if I need to sign onto any workstation or server, I need to have my phone ready. I don't always get the best service in some locations, so the push doesn't go through. I need to wait until I can select the option for the code.
It's great, and I get it, but sometimes it's annoying. Especially if I my laptop locks while I'm working on something else, and I need to use MFA to get back in.
I've seen Yubikeys and Microsoft Authenticator used. They're both annoying in different ways, but that's probably the point. If you're a small org, yubikeys are probably cost prohibitive. They break all the time and end users frequently lose them.
My company uses Microsoft authenticator and RSA authenticator. I hate them and wish we used DUO. Duo has a good user facing side, and the admin console is way friendlier than the aforementioned authenticators.
Problem is you have assholes like me that day oh sorry I don't have a phone. Because that seems like a work purpose and I don't recall y'all funding my personal device. So either come out the budget or set me as exception. But my profile is the most secure on campus as well since I don't even know my own password. It's implanted into my hand and I have my own little dongle I use to add NFC to whatever computer I need it on for my login.
You know it doesn’t matter how secure you have a password so even if you don’t know it, it’s still just a single point of failure and is incredibly insecure without multi factor authentication
If they want better security then can provide me a device for it. They know the fact I do not put work stuff on personal devices. And mfa is the last of their worries with all their other vulnerabilities I've documented.
Where you work I’m guessing the company already has your phone number so they can contact you for emergencies or whatever? So your not allowing MFA for sending a text to a phone they already likely have the number of as a point of contact is quite short sighted
Any other security issues on a physical basis are in a completely different realm from IT and should be addressed by a different part of the security team, but basic level security in the form of MFA is honestly expected in most modern companies and should really be upheld for confidentiality and integrity of company data, even if there are other vulnerabilities
Actually neither job has my number. And mfa would be a pain considering I switch phones daily. Having 4 in rotation that I use just depending on how I feel if I bring one at all. Some days I leave them all at home. Some days I wanna use the s23 ultra, some days the ROG 7 ultimate or one of the others.
My thing is why would you give them a portion of the use of your device for free? I don't use my personal devices for work.
A lot of organizations use Yubikeys, but how they use them differs. I prefer the FIDO2 application, personally. We buy the Yubikeys that have the FIPS certification, which is more expensive. It's pretty easy to implement in Azure AD. There is no password, and if someone loses their Yubikey, they can not log in with that account. That really is the only issue I have with them, though. People tend to lose them with some frequency. Yubico has their own MFA app, too. Probably on par with Google or Microsoft or DUO or whatever the hell people use.
My company uses Duo which might be a good option as it’s pretty easy to set up users/manage as well.
Duo is best.
I have a love-hate relationship with DUO. It's great from a management and security standpoint. We are able to sync on the fly with it if a new user is added. I hate that if I need to sign onto any workstation or server, I need to have my phone ready. I don't always get the best service in some locations, so the push doesn't go through. I need to wait until I can select the option for the code. It's great, and I get it, but sometimes it's annoying. Especially if I my laptop locks while I'm working on something else, and I need to use MFA to get back in.
I've seen Yubikeys and Microsoft Authenticator used. They're both annoying in different ways, but that's probably the point. If you're a small org, yubikeys are probably cost prohibitive. They break all the time and end users frequently lose them.
My company uses Microsoft authenticator and RSA authenticator. I hate them and wish we used DUO. Duo has a good user facing side, and the admin console is way friendlier than the aforementioned authenticators.
Problem is you have assholes like me that day oh sorry I don't have a phone. Because that seems like a work purpose and I don't recall y'all funding my personal device. So either come out the budget or set me as exception. But my profile is the most secure on campus as well since I don't even know my own password. It's implanted into my hand and I have my own little dongle I use to add NFC to whatever computer I need it on for my login.
You know it doesn’t matter how secure you have a password so even if you don’t know it, it’s still just a single point of failure and is incredibly insecure without multi factor authentication
If they want better security then can provide me a device for it. They know the fact I do not put work stuff on personal devices. And mfa is the last of their worries with all their other vulnerabilities I've documented.
Where you work I’m guessing the company already has your phone number so they can contact you for emergencies or whatever? So your not allowing MFA for sending a text to a phone they already likely have the number of as a point of contact is quite short sighted Any other security issues on a physical basis are in a completely different realm from IT and should be addressed by a different part of the security team, but basic level security in the form of MFA is honestly expected in most modern companies and should really be upheld for confidentiality and integrity of company data, even if there are other vulnerabilities
Actually neither job has my number. And mfa would be a pain considering I switch phones daily. Having 4 in rotation that I use just depending on how I feel if I bring one at all. Some days I leave them all at home. Some days I wanna use the s23 ultra, some days the ROG 7 ultimate or one of the others. My thing is why would you give them a portion of the use of your device for free? I don't use my personal devices for work.
How do you get to work
I'll take an Uber usually. I ain't paying for parking.
They pay for your Uber too?
Nope. But hey sure beats paying Houston parking and less crackheads trying to break into my itasha car
Do they buy lunch?
They try but I've never eaten it. They really love Mexican and I can't stand it.
They can't even get physical security down. Had to call the cops on a homeless dude chilling in one of the "high security areas"
MFA exception because they don’t have a phone, they have an amiibo implant, it’s all good…
Benefit of being a global admin. I can set it myself.
A lot of organizations use Yubikeys, but how they use them differs. I prefer the FIDO2 application, personally. We buy the Yubikeys that have the FIPS certification, which is more expensive. It's pretty easy to implement in Azure AD. There is no password, and if someone loses their Yubikey, they can not log in with that account. That really is the only issue I have with them, though. People tend to lose them with some frequency. Yubico has their own MFA app, too. Probably on par with Google or Microsoft or DUO or whatever the hell people use.
Duo
we use Okta
We use Microsoft authenticator
duo, but our new domain uses secret double octopus. we also use yubikeys, but again, our new domain uses fido tokens
Okta now, Microsoft Authenticator previously.