Changes to Duo Multifactor take effect July 31

Due to recent phishing attacks targeting the Marquette community, IT Services will be making several improvements to its Duo Multi-Factor Authentication (MFA) implementation on Monday, July 31. New features will include:

  • Duo Verified Push – A new technology that asks users to enter a verification code from the access device into the Duo mobile app during the login process. This prevents the following attack vectors: 
    • Push Harassment – Multiple successive push notifications to bother a user into accepting push notifications for a fraudulent login attempt. 
    • Push Fatigue – Constant MFA prompts means users pay less attention to the details of their login, causing a user to thoughtlessly accept a push login. 
  • Security Checkup – Simple recommendations on how to further secure your mobile device. Potential device security issues, like an outdated operating system or lack of screen lock, are flagged within Duo Mobile for action by the end user. 
  • Instant Restore – Instant Restore allows users to reconnect Duo-protected accounts when they get a new device. 
  • Universal Prompt – A new, next-generation version of Duo’s interactive, web-based authentication interface that asks you to verify your identity each time you log in. The Universal Prompt is a redesign of Duo’s traditional authentication prompt and became generally available in February 2022. 

In addition to these new features, IT Services has also made changes to the way it issues SMS codes. To align with industry recommendations and best practices, Duo will now only issue a single SMS code that expires after five minutes. While convenient, SMS codes are susceptible to many kinds of attacks, including social engineering, SIM hacking, interception, device theft and wireless service provider account takeover. Expiring SMS codes will help combat many of these attack vectors. 

If you have questions about the Duo MFA, or if you want to report suspicious activities to IT, contact security@marquette.edu.