Recommended practices and rollout strategy
As a Stanford web application owner, you face a daily challenge in trying to keep your data limited to just those people who should have access to it. If your data is particularly sensitive, two-step authentication can help considerably in keeping it restricted to authorized users. Below are IT Service's suggestions on how to configure two-step authentication to meet your application's particular needs, as well as how best to roll it out to your population.
The main configuration decision that you need to make is whether your application should be covered by the two-step umbrella some or all of the time. The choice you make depends largely on your user population and the sensitivity of the data in your application.
Requiring two-step for every authentication has the upside of being extremely secure, but there is more overhead as it will force everyone who accesses your web application to sign in via two-step authentication.
If you choose not to always require two-step authentication, you can instead have the system randomly request an authentication code roughly twenty percent of the time per user per session.
If your application has access to High Risk Data (protected health information, passport or visa numbers, research covered by NDA, Social Security numbers, credit card numbers, financial account numbers, etc.) then it's a good idea to have it require two-step authentication every time it is accessed. While this does mean that your user base will have to use their two-step authentication code more often than they normally would, it significantly helps verify the identity of anyone accessing your application.
Your user population is an important factor to take into consideration when choosing your application's frequency of authentication. If you have a small pool of users, it's much easier to require that they always authenticate to access your application's data, as you can more easily tell them what to expect and help them understand how to access the information that they need.
If you have a fairly large user population, you may want to start off with random authentication, as this will expose your base to two-step authentication in a smaller, more contained manner. There's no reason why you can't increase frequency of authentication to 'always' after your user base has become accustomed to two-step authentication.
No matter what frequency of authentication you choose for your application, it's very important that you reach out to your user base before implementing it. We encourage application owners to ensure that consumers of their application understand why the application is being so protected.
Enable two-step authentication
To require two-step authentication for your application, you simply add one of the following directives to the WebAuth block protecting your web application.
Random
- For random two-step authentication, use: WebAuthRequireInitialFactor rm
Always
- To always require two-step authentication, use: WebAuthRequireInitialFactor m
IT Service will be happy to help you with this task; please submit a HelpSU request if you need additional information or for any other questions you may have about the service.
Duo integration
Duo integrates with Microsoft Windows client and server operating systems to add two-factor authentication to Remote Desktop (RDP) and local logins. Duo also can be added to UNIX systems to protect remote (SSH) or local logins. See Duo Integration with RDP/SSH/PAM for more information.
