Changes to our Duo Two Factor Authentication
OIT and the Information Security Office are working to be two steps ahead of bad actors and keep you and your sensitive information safe and secure. Part of that effort is a switch from the existing Duo Push method to Duo Verified Push.
What is Duo Verified Push?
Duo Verified Push changes the way you use Duo by requiring a multi-digit code to be entered when you authenticate via Verified Push on your device.
Why Duo Verified Push? Why now, why are we making this change?
Hackers and bad actors have raised the bar. Their attacks are increasingly becoming more sophisticated and persistent, utilizing advancements in technology and AI to get your information. However, as the attackers have gotten better, so has UC Merced. Additional technologies and safeguards coming this semester, like DUO Verified Push, help us stay two steps ahead of them.
Duo Verified Push is focused on defending from one of the biggest challenges the campus community faces, Social Engineering. Bad Actors using deception to trick you into giving up personal information, usually in the form of impersonation through text messages, spam, phishing, and even phone calls. Because of the human element involved, these bad actors have had a lot of success with social engineering, and through it exploiting one of the biggest problems with Multi-Factor Authentication – Push Fatigue, and to a lesser extent, Push Harassment.
About Duo Verified Push
Duo Verified Push adds an additional step to the Push authentication process. You still receive a push notification as per the usual process, but you will be prompted to enter in a multi-digit code into the Duo app from the device you are logging in on. Each time you authenticate you will see a unique code, making it much harder for bad actors to abuse push fatique. An important note, OIT and UC Merced will NEVER ask for your Verified Push code. This code is for you and you alone to authenticate into your account. Just like personal passwords, share it with no one.
FAQ
Frequently asked questions on Duo Verified Push
Does this mean I cannot “Trust This Browser” to have my session saved for 14 days, like I can under Duo Push?
Trust This Browser functionality has not changed! When you authenticate via Verified Push, or any other authentication method, you will be asked if "This is your device." Selecting that it is your device will remember your device for 14 days. This only applies to the browser you are using, so if you use multiple browsers or devices, you may need to authenticate multiple times in a day.
What is Push Fatigue (and what is Push Harassment anyways?)
The traditional DUO Prompt system asks for you to confirm your identity by popping up a prompt asking you to approve or deny a DUO login on your phone, tablet, or mobile device. This helps the system confirm you are who you say you are and adds another level of security to the normally-insecure “Password Only” scenario. However, as time goes on, the act of approving a DUO prompt becomes routine and “mindless”, even when we are not doing anything UC Merced related. With so many tabs, browsers, and applications using DUO Prompt, using it so often creates a feeling of complacency and
safety. After all, DUO should only be prompting for something on YOUR system, right? So, without thinking, you approve the prompt without looking at any details or checking the application its requesting. This mindless accepting of a DUO Prompt is often referred to as “Push Fatigue.” A close cousin of Push Fatigue is called Push Harassment. What is Push Harassment? Simply put, a Bad Actor with your password repeatedly bombards your phone or device with a DUO prompt. Because it happens repeatedly in a short period of time, users often think their computer is “stuck” or an
application is trying to login in their computer’s background, so to stop the annoying DUO Prompt users just Approve the prompt. This makes the annoyance go away, but also grants access to whatever resource the bad actor was trying to get access to.
Together, Push Fatigue and Push Harassment have become a serious issue for UC Merced. How can we fix this? Well, for starters education and training will go a long way towards helping to thwart these kinds of attacks, but more advanced technologies can absolutely help as well.
How do I get Duo Verified Push?
Currently Duo Verified Push is available to everyone on campus on an opt-in basis. If you want to opt-in, please submit an opt-in request. Since we are still testing out Duo VP we are also gathering feedback from those who opt-in, please submit any feedback you have via our feedback form.
