Penn State Identity Services: Two-Factor Authentication (2FA) Bypass Code Policy and Procedure

Author: Identity Services Two-Factor Authentication (2FA) service team (Andrea Harrington, Sue Jones, Max Miller, Jimmy Brown, and Paul Yeager)

Created: 11/18/2015

Overview

This document represents the Identity Services (IdS) Bypass Code Policy and Procedure for Two-Factor Authentication (2FA).

Background

2FA provides a second layer of protection to a user’s digital identity (such as an Access Account) and to Penn State data, systems, and services.

While users will be strongly encouraged to enroll more than one device, users will not be required to enroll multiple devices, and, further, some users may not have an appropriate alternate device available. For example, some users will have cell phones but will not have access to any other devices, such as landlines, tablets, or hardware tokens.

Whether it’s an instance of a single enrolled device not being available (broken or lost) or a malfunctioning primary device being the only one available (mobile device isn’t working while away from a back-up landline), users will occasionally find themselves unable to gain access to Penn State websites and services and will, therefore, request a temporary solution. A bypass codes provides that temporary solution, granting a user access to 2FA-protected sites without an enrolled 2FA device.

Decision

Identity Services authorizes the use of bypass codes based on the following criteria.

Conditions to Issue Bypass Codes

  • Requester must be identity proofed (following standard IT Service Desk process).
  • No enrolled device options are available.
  • No secondary device is available for enrollment.
  • No temporary device is available for enrollment.
  • Access to Penn State systems is needed.

Who Will Issue Bypass Codes

The bypass codes will be issued by appropriate IT staff members (Duo Admin Panel rights are required):

  • Select IT Service Desk personnel.
  • IdS 2FA service team members.
  • Other authorized (by IdS) IT staff.

Bypass Code Details

The number of usesfor the bypass code issued to an individual user and the expiration time for the codewill be determined based on a conversation between the support personnel and the individual requesting the bypass code (no more than 5 uses and an expiration of no more than 12 hours). The goal is to determine the fewest number of uses with the shortest expiration time that will satisfy the needs of the user until a currently enrolled device becomes available or a new permanent or temporary device becomes available to enroll with the service.

If other options are needed escalate to ITS-IDS-2FA.

Based on that conversation:

  • Codes issued for one-time use

This one-time use code is used to get the user logged in one time and will expire within 12 hours (should be set to a maximum of720 minutes).

  • Multiple-use codes (one code that can be used multiple times)
    The user can use this code up to 5 times within 12 hours (set to a maximum of 720 minutes) to get them through a workday.
  • All Codes should be set to expire in no more than 12 hours (720 minutes) regardless of whether they are consumed.

Note: The expiration time of a bypass code is an indication of when the code itself will expire if it is not used; it is not the expiration time for the active session created by an authentication using that code. For instance, a bypass code that is set to expire in 12 hours could be used to authenticate into a 2FA-protected service 11 hours and 59 minutes after being issued, and the authenticated session would then last for an extended period of time. For instance, a WebAccess session might last 15 hours unless the user logs out or a location change requests a fresh authentication.

Tracking of Bypass Codes

In order to ensure that no individual user abuses the availability of bypass codes, the following information will be tracked (in the ServiceNow ticket, for example) each time a bypass code is issued:

  • Name and Access Account user ID of user.
  • Date and time of bypass code issuance.
  • Why the bypass code was necessary.

The determination about whether users are abusing the availability of bypass codes will be made by the IdS 2FA service team.

Escalation to IdS

Staff at the IT Service Desk and other authorized (by IdS) IT staff members can only issue bypass codes that match the determined policy. If a user feels that the chosen option will not meet the needs of his/her situation, then the request will be escalated to Identity Services for a review by the IdS 2FA service team.

Bypass Code Procedure

The following is a procedure for how bypass codes will be handled by IT Service Desk staff, the IdS 2FA service team, or other assigned (by IdS) IT Support personnel. The details of the process will be finalized through a collaborative effort between IdS and IT Service Desk staff.

  • Proof the individual following the standard IT Service Desk vetting process
  • Confirm that no registered devices are available:
  • Look at Admin Panel to see what devices are enrolled.
  • Ask why any enrolled devices are not available.
  • Confirm that enrolled devices are not available (make sure all options have been explored).
    For example:
  • If user has enrolled smartphone or tablet, then make sure that user is aware that the Duo Mobile app will work even without cellular service.
  • If user has a landline enrolled, then check to see whether someone might be available at the landline to accept the authentication call for them or whether the number can be forwarded to another phone.
  • If a user has a token enrolled, confirm that the token is not with the user at this time or doesn’t simply need to be resynced.
  • Attempt to register a permanent replacement device
  • Inquire about the availability of a mobile device or tablet to replace the unavailable device, either as a permanent back-up device or as the new primary device.
  • Reiterate the need to have two devices enrolled at all times.
  • If no permanent device is available, then attempt to enroll a temporary device (for example: if talking to you on a phone, then offer to enroll that phone as the temporary device).
  • If no permanent or temporary device can be enrolled:
  • Instruct user on how to enroll a permanent or temporary device as soon as possible.
  • Instruct user on how to receive 10 passcodes to use until a permanent device can be enrolled (if applicable).

Issuing Bypass codes from the Duo Admin Panel

  • One-Time bypass code (is used to get the user logged in one time, and it expires within 12 hours, which is 720 minutes)
  • Go to the lower section of the User Screen.
  • Click on “Add Bypass Code” button.
  • Click on “Change options.”
  • Expire bypass codes at “After ___Minutes” enter no more than 720 (12 hours) instead of 60 (1 hour)
  • At It can be re-used: Click on “One time only”
  • Click on “Generate Bypass Code.”
  • Scroll down to “Bypass Code” section and click on “Show.”
  • Read bypass code to the user.
  • User will enter that bypass code into the WebAccess screen using the passcode option.
  • Up to 5-time use bypass code
  • Go to the lower section of the User Screen.
  • Click on “Add Bypass Code” button.
  • Click on “Change options.”
  • Expire bypass codes at “After ___Minutes” enter no more than 720 (12 hours) instead of 60 (1 hour)
  • At It can be re-used: Click on “__times” and enter no more than 5.
  • Click on “Generate Bypass Code.”
  • Scroll down to “Bypass Code” section and click on “Show.”
  • Read bypass code to the user.
  • User will enter that bypass code into the WebAccess screen using the passcode option.

(Same bypass code can be used up to 5 times within 12 hours)

  • In ServiceNow, record the name and Access Account user ID of individual and the reason.

1

ITS Identity Services (11/18/15)