Duo Verified Push: Coming Wednesday, July 15th

To address vulnerabilities that have been exploited by many recent phishing attacks, LITS will be making changes to Duo Multifactor Authentication over the coming months.
  • On July 15th, LITS will enable a more secure version of Duo Push called Duo Verified Push. This change will not affect other authentication methods such as phone call or Duo tokens. More details are below under Duo Verified Push.
  • In October, after Fall Break, LITS will disable the legacy phone call and text message passcode authentication options. We will communicate specific dates and support information closer to the effective date to ensure our community is supported through this transition.

Duo Verified Push

Duo Verified Push is very similar to Duo Push; the difference will be that you are asked to enter a code in the Duo Mobile app instead of just tapping “Approve.” It will look similar to this example image from Duo:

Why is LITS changing Duo?

The unverified Duo Push, phone call, and text message passcode methods are all vulnerable to types of attack that have become increasingly common. Almost all compromised accounts over the past two years have resulted from one of these vulnerabilities:
  • Duo Push/phone call: These are vulnerable to spontaneous and fatigue attacks, where a phisher sends a Push or phone call to the victim without warning (and repeatedly, in the case of a fatigue attack). It only takes a single accidental or mistaken interaction with these methods to allow a phisher into your account.
  • Text message passcode: This is vulnerable to social engineering attacks. The most common example is a phisher, masquerading as a College employee, will text the victim about a made-up issue with their account and ask for confirmation from the victim by requesting the passcode sent by Duo.
Removing these attack vectors should substantially decrease the number of compromised accounts. While this will improve the security of our system, these changes only increase the complexity required to attack the College and will not eliminate the possibility of compromised accounts. Community members should always remain vigilant for phishing attempts.
Please don’t hesitate to bring any questions to the LITS Help Desk in Canaday Library. You can drop by in-person, call 610-526-7440, or email help@brynmawr.edu. Thank you for your continued partnership in keeping Bryn Mawr systems secure!