Update University of Colorado Boulder

2factorauth / twofactorauth

List of sites with two factor auth support which includes SMS, email, phone calls, hardware, and software.

https://2fa.directory

Other

3.39k stars 1.78k forks source link

Update University of Colorado Boulder #7718

Closed spellbind0127 closed 1 year ago

spellbind0127 commented 1 year ago

Site name

University of Colorado Boulder

Site URL

https://www.colorado.edu/

Update reason

Other (please describe below).

Additional information

As a undergrade who goes to the goes to the University of Colorado Boulder I do not think they should qualify for 2fa. I am rarely if ever asked for a 2fa code when I sign in to outlook at Cu (this includes if you use a vpn. BuffPortal which is what I use to access basically everything as a student doesn't support 2fa.

)

Issue Eligibility

[X] The issue I'm creating is not a duplicate of an existing issue.
[X] The issue I'm creating is not a duplicate of an existing pull request

hkamran80 commented 1 year ago

CU Boulder's Office of Information Technology says that:

Yes, everyone using CU Boulder's Microsoft 365 instance will be required to use MFA.

Could it be that the Buff Portal isn't part of their M365 instance, and therefore not backed by their MFA?

spellbind0127 commented 1 year ago

As someone who goes to Cu boulder I can confirm that you don't login using M365 to access 90% percent of what students access. For that Cu Uses there own SSO solution that doesn't support MFA

hkamran80 commented 1 year ago

Well that's frustrating. In that case, do you want to add a note to the entry?

spellbind0127 commented 1 year ago

I think we should remove it as having 2fa. As I have never encountires the "2fa" that they have "enabled" on their microsoft products.

spellbind0127 commented 1 year ago

For your convenience, your sign-in session on your regular devices will not require you to login or use multi-factor often, but it will protect your account if any suspicious attempts to login are detected. (Thats not 2fa in my book that we have another way to verify you when their suspicion activity on your account)

Carlgo11 commented 1 year ago

Looks like CAS is used with a private oauth server, although why anyone would want to go through the hassle of setting up their own SSO/SAML service is beyond my comprehension.

CAS does provide modules for MFA but you're saying no MFA is provided at all when authenticating through the non-MS365 SSO portal?

spellbind0127 commented 1 year ago

yes but I am also saying that they don't have 2fa in general because i never get asked for a 2nd factor. (even login in with a vpn on in incognito mode)

spellbind0127 commented 1 year ago

so yes I am accusing the school of lying about enabling 2fa.

hkamran80 commented 1 year ago

Wow.