As part of planned updates to York’s current Duo 2FA service, UIT will be deploying an extra layer of security through the implementation of Duo Verified Push, Time-Based One-Time Password (TOTP) codes, and the Self-Service Device Management (SSDM) portal.

What’s Changing?

•  Verified Push will ask you to enter a 3-digit code during the login process. This additional layer of security helps prevent accidentally accepting a malicious login request.
• Duo Mobile passcodes become exclusively time-based and refresh every 30 seconds.

For more details, continue below.

Duo Verified Push enhances the security of the traditional Duo Push experience by requiring users to enter a three-digit code from the authentication prompt on their access device. This update will bolster MFA security and help prevent the following push-based authentication vulnerabilities:

• Push Harassment – Attackers will persistently send numerous push requests to bother users until they give in and accept the request to stop receiving push notifications.
• Push Fatigue – Users will become overwhelmed with constant MFA requests sent by attackers, causing them to neglect proper validation of requests and mindlessly accept a fraudulent push.

Duo Time-Based One-Time Password (TOTP) codes help make MFA more resistant to phishing attacks by introducing a 30 second window-of-use for passcodes. Previously used HOTP codes were non-expiring, which made them available for later use by attackers if intercepted.

What Devices and Duo Versions are compatible with the upgrade?

Duo Verified Push requires a minimum version of:

• Duo Mobile 4.16.0 or later on Android
• Duo Mobile 4.17.0 or later on iOS

For use of TOTP codes, users are required to be on Duo Mobile app version 4.49 or later.

Are other 2FA devices affected?

The upgrades will only affect the Duo mobile app experience.

What if I cannot upgrade to the required version?

• In order to use Duo TOTP codes, you will need a device that supports the Duo Mobile app version 4.49 or later. The current version of Duo Mobile supports iOS 15.0 or greater and Android 11 or greater.
• If your device does not support this version of Duo and you are unable to upgrade, please find other options here: 2FA Authentication Methods.

For more information, please refer to the following documentation. You can also watch an interactive demonstration and try Duo Verified Push for yourself.

Duo has also introduced a new Self-Service Device Management (SSDM) portal to allow users to access the device management interface directly. This will allow users to add/remove devices without the help of IT/Help Desk staff.

To access Duo SSDM, please visit https://yorku.login.duosecurity.com/ and login with your Passport York credentials. Once inside the portal, users will be able to add, remove and configure their authentication devices independently.

Benefits:
Users no longer need to reach out to IT staff for help with managing their devices. The new SSDM portal will equip users with the autonomy to manage their own authentication, improving the overall efficiency of Duo MFA.

What Devices and Duo Versions are compatible with the new SSDM?
Supported iOS and Android versions:
The current version of Duo Mobile supports iOS 15.0 or greater and Android 11 or greater.

Supported Browsers:
Duo Universal Prompt supports Chrome (Desktop and Mobile), Firefox, Safari (Desktop and Mobile) and Edge.

The supported browsers are listed below:
• Google Chrome
• Safari
• Firefox
• Microsoft Edge

For more information, please refer to the following documentation from Duo.

Please contact askit@yorku.ca if you have any questions or concerns.