Duo Toll Scammers - Custom Enrollment Portal?

["Telfer, Will" <Will_Telfer () BAYLOR EDU>]

Greetings,

Due to the ongoing toll scam scheme that is costing us telephony credits, we have made some changes to our Duo set up 
on campus & are now forcing first time enrollment through our campus enrollment portal, as opposed to allowing it on 
any service protected by Duo (users can enroll devices after the first device on any service protected by Duo, just not 
the first device). The other restriction implemented on the campus enrollment portal is that the first device enrolled 
must be a mobile device or a tablet with the Duo Mobile app installed OR a Security Token (U2F device). We do have Duo 
Hardware Tokens available for purchase at our campus bookstore, but those are not able to be self-enrolled, so just 
like with those if a user does not have a mobile device (yes, we have some of those), chooses not to use the Duo Mobile 
app (we have some of this too), or wants to enroll just a phone number (landline or desk phone) as their first device 
they will have to call our IT Help Desk to have the phone number entered in the Duo Admin Console under their user.

I was curious if anyone had implemented a custom enrollment portal that allowed for more granular control of how users 
enroll that would keep out the toll scammers, but allow a better experience for your legitimate users. In our case the 
toll scammers are using "free" applicant accounts that have no permissions in our system but do get a user ID & a 
password. They were attempting to authenticate via phone call using foreign numbers that cost 20 telephony credits per 
call, but they have switched to just enrolling via phone call over & over again to drain our credits - hence why phone 
number enrollment is now disabled for all first time users & we have implemented group restrictions to eliminate the 
ability for user accounts not in allowed groups to attempt authentication. I have worked with Duo at each step, but 
have figured a lot of this out on my own as we were unable to disable phone & SMS authentication when the scammers 
first started hitting us since we have users that have those methods as their only authentication method.

Please feel free to contact me via the listserv or off list if you have questions or wish to share any information 
about a custom Duo Enrollment Portal that you think may help us mitigate the toll scammers.

Thank You,
Will Telfer, M.S.
Identity and Authentication Analyst
Information Technology Services

Follow BaylorITS & look for the #BearAware:
Twitter: @BaylorITS
Facebook: facebook.com/BaylorITS
Website: baylor.edu/BearAware

[BU_e-signature]


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community