Using a less secure Duo method?

Using Duo as 2FA (Two-Factor Authentication) adds an extra layer of security to university application access. Unfortunately, like any technology, some individuals have learned to exploit it. Hackers have used phishing and malware to fake SMS messages and phone calls to obtain Duo access. Due to this danger, the university strongly recommends using only Duo’s Push and/or YubiKey as Duo response methods.

What does this mean to me?

If you currently use SMS or Duo phone calls to respond to Duo prompts, please change to one of the two more secure methods below:

  • Duo Push: Duo instantly sends a prompt to the Duo app installed on your smartphone.

You can verify your identity and gain access with just a quick tap. No more hassle with calls and texts – DUO Push streamlines the authentication process, providing an additional layer of security without sacrificing user convenience. Your peace of mind is our priority, and we believe DUO Push is the key to achieving a perfect balance between security and usability.

How to setup the Duo Mobile app push method:  

Navigate to Manage Devices beginning at Step 6a.

  • Yubikey hardware key: Yubikey is a hardware USB device similar in size to a USB thumb drive.

Insert the Yubikey into your computer, verify your identity, and gain access with just a quick tap.

A Yubikey hardware key can be purchased through the UR Tech Store.

How to setup the Duo Mobile app push method:

Navigate to Enroll in Duo Using a YubiKey

 

Why are phones and SMS being discouraged

While better than relying solely on passwords, SMS and phone-based Two-Factor Authentication (2FA) methods have certain vulnerabilities that make them less secure than other authentication methods.

Here are some reasons why SMS and phone call-based 2FA can be considered less secure:

  • Phishing Attacks
    • Phishing attacks can trick users into providing their 2FA codes. For example, attackers may send fake messages pretending to be a legitimate service requesting the user to provide the code for verification.
  • SIM Swapping Attacks
    • Attackers can perform SIM swapping, where they trick a mobile carrier into transferring the victim’s phone number to a SIM card under the attacker’s control. Once they gain control of the victim’s phone number, they can receive the 2FA codes sent via SMS.
  • Man-in-the-Middle Attacks
    • Attackers can intercept SMS messages or phone calls containing 2FA codes through man-in-the-middle attacks. This involves intercepting and possibly altering communication between two parties without their knowledge.
  • Social Engineering
    • Social engineering techniques can convince mobile carriers to transfer a phone number to a new SIM card or to convince individuals to disclose their 2FA codes. Attackers may use personal information gathered through various means to manipulate individuals.
  • Device Theft
    • If a mobile device is stolen or lost, an unauthorized person may gain access to 2FA codes sent via SMS if the device is not properly secured.
  • Dependence on Single Factor (Phone Number)
    • SMS and phone call-based 2FA rely heavily on the security of the associated phone number. If an attacker gains control of the phone number, they can potentially compromise multiple accounts tied to that number.
  • No Biometric Verification
    • SMS and phone call-based 2FAs usually lack biometric verification, making them susceptible to unauthorized access by someone who has physical possession of the phone.
  • Inherent Insecurity of SMS
    • SMS itself is not a highly secure communication channel. Messages can be intercepted, and the protocol was not designed with security as a primary consideration.

 

 

For more information on SMS and phone attacks, check out the article:

https://tech.rochester.edu/news-item/attacking-our-house-phishing-and-cyber-security-attacks-against-the-university/