Duo Verified Push is now enabled to enhance Duo's security and make the Duo authentication process more resistant to attacks.
Reason for change
The reason for this change is that, as security defenses evolve, so do attacks. Recent attacks have included attackers finding ways to trick the account holder into authorizing the malicious access in Duo. Unfortunately, we have seen several successful attacks on our community credentials. Adding this additional quick step will disrupt this type of attack.
What is changing?
This change affects one of the Duo authentication options - Duo Mobile Push. When this change is implemented, the Duo Mobile Push process will be altered. When logging in to an application protected by Duo, users of this method will be presented with a numeric code:
On the Duo Mobile app, rather than tapping the "Approve" button (current behavior), users will be prompted to enter the 3 digit code for authentication. Enter the 3 digit and select Verify:
- Duo Mobile App - in some cases, users may be prompted to update their Duo Mobile app if it is outdated.
- Apple Watch Duo Approvals - you can still approve Duo notifications on your Apple watch by entering (type, draw, dictate) the 3 digit number.
- Other Authentication Methods -
- YubiKeys and Duo Mobile Passcode - not impacted
- Apple Touch ID available on your MacBook you can enable this as an option for MFA/Duo authentication instead of the Duo Mobile push notifications.