March 4 Duo Security Updates
To protect the important personal and financial information of university employees, some additional security measures have been applied to Duo multifactor authentication.
Duo Verified Numerical Push to Be Required for Email and Applications that Use Single-Sign-On
Beginning Monday, March 4, when logging into university email or any application that uses single-sign-on using a push from the Duo mobile application, you will see a verified numerical push that requires entering a numerical code. Applications that use single-sign-on include iCollege, PAWS and many others.
This additional security feature better ensures that only you can log into your account by demonstrating a number on the login screen that you enter in the mobile app when verifying login.
Verified push is already in use for login to OneUSGConnect for faculty, staff and student employees. This expands use of this important security feature to additional applications.
The VPN will not require verified numerical push, but will continue to allow push notifications as well as other authentication methods.
Verified Numerical Push Notifications: When logging with a Duo push from the mobile application on your phone or device, you will see a verified push that requires entering a numerical code. This additional security feature better ensures that only you can log into your account by demonstrating a number on the login screen that you enter in the mobile app when verifying login.
Minimum Requirements:
To receive a verified push, you will need a phone with:
- Duo Mobile 4.16.0 or later on Android 8 or later.
- Duo Mobile 4.17.0 or later on iOS 13 or later.
If your phone doesn't meet these requirements, you can verify login with phone call, yubikey, or bypasscode.
Previous Recent Updates
Mobile Application Passcodes Not Available in OneUSGConnect
To further protect important employee information, using a mobile passcode generated from within the Duo mobile application on your phone or device is no longer available for login to OneUSG Connect. Other forms of Duo authentication, including phone call, YubiKey, and passcodes will continue to be available.
Mobile Application Passcodes in Other Applications
In all applications, Duo Mobile one-time passcodes from the Duo mobile app are becoming more secure by expiring after 30 seconds to prevent attackers from trying to collect and re-use them at a later time. You will begin to see a timer in the Duo mobile app that reflects this feature after the end of the semester. You will need to be using version 4.49 or later of the Duo Mobile app to use these passcodes.
While the interface of this login verification tool will looks a little in the browser, Duo will continue to function in the same way. The upgrade will also provide some new usability and security features that the university will be able to take advantage of moving forward. New features, for example, include more visible inline instructions for setting up, managing, and remembering devices.
The new version of Duo is hosted and will always appear as a second step after login with a URL containing duosecurity.com/.
Defaults to Previously Set-Up Method
When you log in for the first time after the upgrade in a browser or device, you will be automatically prompted to verify login using a method you have already set up, for example application push, phone call or Yubikey.
Note: For first-time login after the upgrade, verification method will be presented in order of security.
Order of Security:
Duo considers security keys (Yubikeys) to be the most secure authentication method. So if you have set up a Yubikey, you'll automatically see the prompt to use it the first time you log into that application after the Duo upgrade.
The Duo method considered next secure is using Duo Mobile to approve a Push notification, which is also the most common and recommended method. If you have a phone or tablet with Duo Mobile activated, Duo will automatically send a Push notification the first time you log into that application after the upgrade. Simply press Approve.
If you haven't set up Duo Mobile, then Duo will automatically select the next available option such as Phone Call.
If you use a legacy Duo Token, you would enter the code generated by the token using the Passcode option.
Generating a temporary Bypass Code online is also an available option.
New users will be prompted to set up.
Click Other Options for More
Just click Other options to change the method to use to login. Note: Once you complete Duo verification using this option, future logins from the same device and browser will begin to automatically default to this same method.
Remembering a Device
Users are encouraged to click Yes, this is my device for Duo to remember their individual devices and browsers when not shared with others.
