Skip to main content Skip to local navigation
UIT

Introducing Duo Verified Push and TOTP

Posted on October 11, 2024

 

A picture containing text Description automatically generated

 

Service Advisory

 

Dear IT Staff,

 

On October 17th, UIT will be deploying an extra layer of security to the current Duo 2FA system through the implementation of Duo Verified Push and Time-Based One-Time Password (TOTP) codes.

Verified Push:

 

              

Duo Verified Push enhances the security of the traditional Duo Push experience by requiring users to enter a three-digit code from the authentication prompt on their access device. This update will bolster MFA security and help prevent the following push-based authentication vulnerabilities:

  • Push Harassment – Attackers will persistently send numerous push requests to bother users until they give in and accept the request to stop receiving push notifications.
  • Push Fatigue – Users will become overwhelmed with constant MFA requests sent by attackers, causing them to neglect proper validation of requests and mindlessly accept a fraudulent push.

Note: Duo Verified Push only affects applications that support Universal Prompt (Passport York, Self-Service Device Management (SSDM) portal, and O365. Windows RDP and VPN are not affected by the change to Verified Push.

TOTP Codes:

Duo’s Time-Based One-Time Password (TOTP) codes help make MFA more resistant to phishing attacks by introducing a 30 second window-of-use for passcodes. Previously used HOTP codes were non-expiring, which made them available for later use by attackers if intercepted.

What Devices and Duo Versions are compatible with the upgrade?

Duo Verified Push requires a minimum version of:

  • Duo Mobile 4.16.0 or later on Android
  • Duo Mobile 4.17.0 or later on iOS

For use of TOTP codes, users are required to be on Duo Mobile app version 4.49 or later.

 

Are other 2FA devices affected?

The upgrades will only affect the Duo mobile app experience.

 

What if I cannot upgrade to the required version?

  • In order to use Duo TOTP codes, you will need a device that supports the Duo Mobile app version 4.49 or later. The current version of Duo Mobile supports iOS 15.0 or greater and Android 11 or greater.
  • If your device does not support this version of Duo and you are unable to upgrade, please find other options here: 2FA Authentication Methods.

 

For more information, please refer to the following documentation. You can also watch an interactive demonstration and try Duo Verified Push for yourself.

Contact

Client Services at askit@yorku.ca or 416 736 5800

 

PRIVACY POLICY | VISIT WWW.YORKU.CA
This email was sent by: York University, 4700 Keele Street, Toronto, Ontario M3J 1P3

This email is viewed best in Microsoft Outlook for web