Duo, our multi-factor authentication service (MFA), recently notified the University that one of its telephony vendors, which Duo uses to deliver MFA messages via SMS and phone calls, experienced a security breach. The hacker gained access to the vendor’s internal systems and downloaded message logs. This incident, along with several others, underscores the importance of adopting robust multi-factor authentication methods such as Duo Push or YubiKey.
If you use phone calls or SMS texts to receive your multi-factor authentication from Duo, we urge you to switch to Duo Push or a YubiKey for enhanced security. Push notifications provide a handy second verification option for daily use, while the YubiKey is a phishing-resistant backup.
Pros and Cons of Each Method
Method | Pros | Cons |
---|---|---|
Phone/SMS Verification | Widely available, convenient | Vulnerable to social engineering, SIM swapping, phishing |
Push Notifications | Convenient, doesn’t require carrying another device | Still susceptible to phishing if not vigilant. Remember, if you didn’t initiate a Duo authentication, report it as fraud in the Duo app. |
Yubikey | Highly secure, phishing resistant | Requires physical possession, may not be supported by all services |
What does this mean for me?
You should change your method of Duo verification to one of the following options:
- Duo Push: With Duo Push, you receive a prompt via the Duo app installed on your smartphone. You can verify your identity and gain access with just a quick tap. No more hassle with calls and texts – Duo Push streamlines the authentication process, providing an additional layer of security without sacrificing user convenience. You should still be vigilant and not accept the push notification if you did not initiate the Duo authentication as that could mean someone is trying to gain access to one of your accounts.
To setup the Duo Mobile app push method, navigate to Manage Devices beginning at Step 6a.
- YubiKey hardware key: YubiKey is a hardware USB device similar in size to a USB thumb drive.
Insert the YubiKey into your computer, verify your identity, and gain access with just a quick tap. You should use YubiKey for highly sensitive accounts or privileged access.
A YubiKey hardware key can be purchased through the UR Tech Store. You’ll need to enroll your YubiKey before use, follow the instructions here: Enroll in Duo Using a YubiKey.
For more information on using secure Duo Methods please review:
Using a less secure Duo method? – News – University IT (rochester.edu)