Skip to main content
IT Service Status
IT Service Status

Duo MFA Changes Coming This Spring

Posted Date: February 28, 2024

Northwestern IT’s Multi-factor Authentication (MFA) Enhancement initiative is underway and intended to better secure University systems and protect the identities of the community against evolving cyberattacks designed to get through existing MFA protections. The effort includes turning off the telephony option in Duo (SMS passcode and phone call) and enabling Duo’s new Verified Push option.

Anyone still using telephony options is encouraged to take action now to move to more secure methods of MFA. We are implementing both of these changes on a rolling basis to University community members this spring. Additional communications with specific dates for different members of the University community are forthcoming.

What is Verified Push?

Duo MFA enhancement with code

Verified Push introduces a new verification code option for Duo Push. It provides additional security against push harassment and fatigue attacks by asking users to enter a verification code while approving an authentication request. When enabled, users logging into an application that requires MFA will see a numeric code six digits in length in the prompt (see the example to the right). This code must then be entered to approve the Duo Push request on your authentication device. This change in method ensures you cannot accidentally approve login requests.

Accessing Verified Push

For individuals already using the Duo Mobile app and running version 4.16 (or higher) on Android and 4.17 (or higher) on iOS, there is nothing to do now. The authentication experience will remain unchanged until Northwestern IT enables Verified Push this spring. Anyone needing to check their Duo app version can review this Knowledge Base article.

Individuals Currently Using Telephony (SMS and Phone Call) Options

Anyone still using telephony in Duo can continue to do so until the telephony option is turned off later this spring. However, we encourage users to take action now, if possible, to move to more secure methods of MFA. Current telephony users can review the various options below, but they will also receive multiple communications in the coming months to offer information on available options.

Switch to Duo Mobile App

The Duo app is compatible with iOS and Android devices, including tablets, and it is the recommended method for verifying your identity. The Duo app, combined with an internet connection, allows for a “push” notification that will prompt you to enter a six-digit code once Verified Push is enabled. If an internet connection is unavailable (when traveling or otherwise), the Duo app can generate offline codes that can be used instead. It is the fastest and most convenient option to authenticate into University systems. Review this Knowledge Base article to learn how to switch to the Duo app.

Biometric Authentication

If your devices support TouchID, Windows Hello, or other biometric authentication, you can self-register these systems to use with Duo. Review Duo’s instructions to learn how to register your biometric authenticator.

YubiKey

The YubiKey is a hardware authentication device that plugs directly into your computer and is used whenever MFA is required to log into a University system. One downside is that you must always have it on hand to log in. If you leave it at home or work or lose it outright, you will be unable to access University systems temporarily. A list of compatible YubiKeys can be found on Yubico’s website. YubiKeys can be obtained directly from Yubico or major retailers such as Amazon. YubiKeys can be self-registered in Duo, similar to a biometric authenticator. If you have questions about YubiKeys, please contact the Northwestern IT Information Security Office.

Hardware Token

A Duo MFA token is a small, battery-powered device that attaches to a keychain. Pressing a button on the token generates a code on the built-in display, and it does not require cellular or internet service to receive passcodes. Its disadvantage is similar to that of the YubiKey above. Hardware tokens are available for University community members and can be purchased with a chart string from Northwestern IT. If you have questions about hardware tokens or how to obtain a token, please contact the Northwestern IT Information Security Office.

Is Duo Push the only option for MFA?

While Duo Verified Push is the recommended solution for MFA, Northwestern IT will continue to support codes generated by the Duo Mobile app, hardware authenticators (YubiKeys), Duo Tokens, and biometric authenticators such as TouchID or Windows Hello.

Thank you for helping to secure Northwestern’s University systems and protect the data within them. If you have any questions, please direct them to the IT staff in your specific schools and units or to the Northwestern IT Information Security Office.