Child pages
  • 20190306- Protecting sensitive XSEDE user profile information with TFA
Skip to end of metadata
Go to start of metadata

Decisions:

 Summary
Description
  


Action Items:

Summary
Description
Responsible
Due Date
    
    
    
    
    

 

Notes/ Discussion items:

Attendees: JimM, Ken, Dave, Victor, Gary, Greg, JP, AlexW, Maytal, Shava
  • Proposed: Require TFA for updates to profile and add/removing people from an allocation.  
    • Proposed reduced scope: only required for users who are enrolled in TFA
  • DUO update: Significant # of users who signed up to use DUO but never authenticated.  Large number had not used DUO in one year or started the sign up process but no enrolled device.  Cleaning them out reduced users to 3800 out of 5000 licenses.
  • Maytal: does this make us more secure?  It does reduce compromise of credential for users in enrolled in TFA. For users that have genomics or other protected data, it will help them be compliant.  Globus also moving towards HIPAA compliance
  •  JimM: If a user is enrolled with DUO, could someone sign in and turn off DUO?  Gary: no
  • What development might be required?  Maytal, would need to check with team.
  • Will TFA work on 3-legged auth and 2-legged auth?  Does Globus handle it?   
    • Would like to enable individual services to decide if they require TFA or enable TFA if user is enrolled
    • DUO has about 20 services right now — each one has a different mechanism
    • If a service is using Globus Auth, can DUO distinguish it as different services
    • ACTION: Follow up meeting with Globus, UII and Gary, Derek too to discuss details and security
  • In the future, do we push PIs to use DUO?
  • SSO Hub is only required service to have DUO.  Every service can determine if DUO is required.
  • When password or email changes, portal sends email 
  • DUO Federation?  Not really a DUO priority due to revenue
    • Poor man’s federation solution via PAM modules  — maybe could do something centralized
  • Devices: smartphone is default. Telephone still required for ~100 users; SMS not enabled now; DUO token might be alternative
  • Potential future license issue: if a XSEDE resource requires DUO

 

  • No labels