As part of planned updates to York’s current Duo 2FA service, UIT will be deploying an extra layer of security through the implementation of Duo Verified Push, Time-Based One-Time Password (TOTP) codes, and the Self-Service Device Management (SSDM) portal.
What’s Changing?
- Verified Push will ask you to enter a 3-digit code during the login process. This additional layer of security helps prevent accidentally accepting a malicious login request.
- Duo Mobile passcodes become exclusively time-based and refresh every 30 seconds.
Note: Duo Verified Push only affects applications that support Universal Prompt (Passport York, Self-Service Device Management (SSDM) portal, and O365.
Windows RDP and VPN are not affected by the change to Verified Push.
For more details, continue below.
Duo Verified Push enhances the security of the traditional Duo Push experience by requiring users to enter a three-digit code from the authentication prompt on their access device. This update will bolster MFA security and help prevent the following push-based authentication vulnerabilities:
- Push Harassment – Attackers will persistently send numerous push requests to bother users until they give in and accept the request to stop receiving push notifications.
- Push Fatigue – Users will become overwhelmed with constant MFA requests sent by attackers, causing them to neglect proper validation of requests and mindlessly accept a fraudulent push.
Duo Time-Based One-Time Password (TOTP) codes help make MFA more resistant to phishing attacks by introducing a 30 second window-of-use for passcodes. Previously used HOTP codes were non-expiring, which made them available for later use by attackers if intercepted.
What Duo Versions are compatible with the upgrade?
Duo Verified Push requires a minimum version of:
- Duo Mobile 4.16.0 or later on Android 8
- Duo Mobile 4.17.0 or later on iOS 13
For use of TOTP codes, users are required to be on Duo Mobile app version 4.49 or later.
Are other 2FA devices affected?
The upgrades will only affect the Duo mobile app experience.
What if I cannot upgrade to the required version?
- In order to use Duo TOTP codes, you will need a device that supports the Duo Mobile app version 4.49 or later. The current version of Duo Mobile supports iOS 15.0 or greater and Android 11 or greater.
- If your device does not support this version of Duo and you are unable to upgrade, please find other options here: 2FA Authentication Methods.
For more information, please refer to the following documentation. You can also watch an interactive demonstration and try Duo Verified Push for yourself.
Please contact askit@yorku.ca if you have any questions or concerns.
