By Emily Rushton
On July 17, 2018, Duo phone call and text message options for two-factor authentication (2FA) will be discontinued. Users need to select another method for Duo 2FA to log in to the majority of university applications (e.g. Canvas, CIS, Box) after July 17.
The university's Strategic Information Technology Committee approved this decision for a number of reasons – most importantly, recent industry guidance and practice has indicated that phone calls and text messages are vulnerable and not considered secure methods of authentication. There is also a significant cost associated with providing these authentication methods. The phone call option was intended to be a backup or emergency method for using Duo, yet for many it has become their primary method. The new backup option for Duo authentication will now be completed through the central university help desks (contact information below).
“Overall, removing these two methods of Duo authentication is a risk-based decision that was presented and approved at various levels of the organization," said Randy Arvay, Chief Information Security Officer. "Ultimately, we’re concerned with keeping our users and the university more secure as a whole, and these methods are not considered the most secure forms of 2FA.”
Users may choose one of the following options for 2FA, which are used by the majority of campus and U Health users:
Duo mobile app:
- Easiest and fastest method
- Install on a smartphone or tablet (includes Apple, Android, and Windows mobile devices - download from your device's app store)
- Two options to authenticate:
- Mobile push notification (select "approve" or "deny" from your device's home screen or Duo notification page - no need to type in a code)
- Type in a passcode (network connectivity is not required for this option)
Duo hardware token:
Questions or concerns? Contact the UIT Help Desk (801-581-4000, option 1) or ITS Service Desk (801-587-6000) for assistance.