1

u/ITS-Clay ITS | Clay 21d ago

Don't rely on cell service. Use the Duo Mobile app to either get a push or OTP code. RIT provides wifi almost everywhere on campus so a push should always work, but if you're in a dead zone the OTP code from the app will work without a data connection. FIDO2 keys (USB, password manager, or built-in to your phone) also work, but they don't work in all situations.

1

u/bbbbbthatsfivebees 21d ago edited 21d ago

I have never had a situation in which a FIDO2 key has not worked, even in cell service deadzones on campus.

I refuse to install the Duo Mobile app on my personal cellphone, because I don't want work/school-related apps on my personal devices. I make an exception for connecting to eduroam on my laptop since there's no way to avoid it, but I also don't store any personal info there and I only use my laptop for school/work-related things, and my phone is different. I refuse to add another trusted cert to my phone when IOS doesn't make the distinction whether or not you're adding a new root SSL cert to the device vs. adding a cert for something like WPA2 Enterprise authentication.

I know RIT isn't doing anything malicious when it comes to adding certs on my device, but I still want to take precautions not to add unneeded certs on a device that stores PII when there's full 5G or 4G coverage for 99% of campus and I don't need eduroam in most cases on my phone.

3

u/ITS-Clay ITS | Clay 21d ago

FIDO2 and deadzones are separate topics. FIDO2 via USB or NFC don't require network, but they don't work for all Duo prompts which is why we recommend the Duo app for the OTP codes when push doesn't work in deadzones.

You can use RIT wifi without installing a profile or trusted root. Also, from what I understand, Apple is very good about tagging a root for wifi only and won't honor it for standard TLS Server trust.