DUO Mobile is undergoing a complete update on Feb. 28, which will revamp the concept of DUO Push.
The DUO Mobile application is the standard security feature currently in place to log into UO accounts. The current “DUO Push,” which involves tapping an “approve” or “disapprove” button for Canvas access, will now be “Verified DUO Push” which will require users to enter a three-digit code to access their accounts.
UO Chief Information Security Officer José Domínguez said that the update will increase cybersecurity from online hackers.
“It’s an industry change where we have seen that the [DUO] methodology has been exploited by malicious actors,” Domínguez said. “They just inundate you with requests that you end up just saying ‘yes’ because you figure it’s one of your devices.”
According to Domínguez, he has seen some DUO users get their information infiltrated by cyber attackers.
“This is important because we have seen some of our user community actually being scammed and being financially impacted by this,” Domínguez said. “So this will really help remove that as an avenue for malicious actors to exploit your credentials or that user’s credentials.”
This DUO change will be happening for all institutions that use DUO as their security vendor, according to Domínguez.
“When you use DUO, it installs [a software] to your device to know that you have been authenticated,” he said. “Malicious actors found a way to exploit that so DUO decided to change, and they’re making all of their clients upgrade to their ‘universal product.’”
Another new feature DUO is implementing is using biometrics such as face ID and touch ID to access UO accounts, according to Domínguez.
“You can configure your devices for DUO to use biometrics and accelerate that way of logging in,” Domínguez said. “That’s another way this [update] is going to be beneficial to all of the community.”
According to Domínguez, cyber attackers are a real threat to DUO users, and although the idea that two-factor authentication will eliminate that threat, more needs to be done by the DUO organization.
“When you get a push, you need to know where you are going to type those three digits,” he said. “If [cyber attackers] don’t have those three digits, they can’t use your account, and we’ve been seeing a lot of our users falling victim to these phishing scams.”