How to improve your Duo (multi-factor authentication) experience

We’ve now been using Duo multi-factor authentication with Office 365 and other applications for over a year, and I appreciate the positive response we’ve had to this important security enhancement. Here are a few metrics that show the massive scale and usage of this security tool.

  • 154,428 logins using Duo over the last 365 days, averaging more than 423 per day.
  • 34,116 logins expedited through the Remember Me function.
  • 1,881 faculty, staff, student worker, and vendor accounts protected.

Top authentication methods:

Duo Push: 75%
Phone Call: 20%
Duo Mobile Passcode: 2.5%
SMS Passcode: 2.1%
Invalid Passcode: 0.4%

If you’re not already using Duo Push as your primary method to log in, I’d encourage you to try it. Duo Push comes from an app installed on your smartphone that provides a quicker, easier, more secure, and cheaper method than receiving phone calls or text messages.

Why is Duo Push the best method?

  • It’s quicker than a phone call or text. You simply approve a notification on your smartphone.
  • It’s more secure. Duo Push uses end-to-end encryption that SMS and phone calls can’t, and the screen displays detailed information about the application and device the initiated the request.
  • Each push uses very little data. 500 pushes to your device will use about 1 MB of data, roughly equivalent to loading one webpage on your smartphone.

The Duo Mobile app required to use Duo Push does not have any control over your phone. It cannot change settings, read emails, see browser history, and requires your explicit permission to send notifications. You are always in control of the app.

If you don’t have wi-fi or cell reception, you can still log in using the app. Tap the ▼icon to generate an authentication passcode anytime, anywhere.

Read more about how to set up a device with the Duo Mobile app in the IT Service Portal guide Using the Duo Self-service Portal (How-to).

Duo is designed to prevent attackers from using lost or stolen passwords to access personal information. The primary way passwords are lost and stolen is through phishing. If you encounter an email or webpage that you suspect is malicious, don’t click links, download attachments, or reply. ITS will be continuing phishing education this month using emails that mimic real attacks.

For more information on how to report phishing emails, see Reporting a Phishing Message (How-to).

—Peter Lundstedt, ITS