As part of a planned update to York's Duo 2FA service, the Information Security team upgraded the previously used Duo Push to the new and improved Duo Verified Push.
Duo Verified Push enhances the security of the traditional Duo Push experience by requiring users to enter a three-digit code from the authentication prompt on their access device. This update will bolster MFA security and help prevent the following push-based authentication vulnerabilities:
- Push Harassment – Attackers will persistently send numerous push requests to bother users until they give in and accept the request to stop receiving push notifications.
- Push Fatigue – Users will become overwhelmed with constant MFA requests sent by attackers, causing them to neglect proper validation of requests and mindlessly accept a fraudulent push.
This upgrade will help to strengthen the security of our 2FA service while also reducing the risk of compromise by push-based authentication vulnerabilities that are commonly exploited by attackers.
