ITS announces DUO security updates for specific applications

DUO two-step authorization is required to log in on any platform using a Baylor account. Katy Mae Turner | Photographer

By Lily Nussbaum | Staff Writer

On Monday, Information Technology Services announced via email that some changes will be coming to DUO this month for many applications; however, the security will remain the same.

Starting Tuesday, the “Call Me” option will no longer be available in DUO. Following that, on Thursday, the “Text a Passcode” option will also no longer be an option.

“It’s become clear that using SMS text message as well as voice calls for authentication is no longer considered strong authentication by the government standards when we’re talking about accessing sensitive information,” Jon Allen, chief information security officer, said.

According to a WIRED article, SMS may be better than relying on a password alone, but in two-step logins, text messages are often the weakest step. Given it is a temporary sent passcode and not a self-made password or an application, it is more easily intercepted.

In addition to disabling the two modalities, a new Verified DUO Push will be instated on Nov. 15, Allen said. A six-digit number will be displayed on the screen when you attempt to log in. He said the number will then need to be entered in the app before hitting ‘OK’ and continuing.

“In the last six months, the attackers [or] the adversaries — however you want to call them — have started using user-exhaustion attacks to really make it to where users are just giving up and hitting ‘yes’ on the button,” Allen said.

One caveat to this new feature is it will only be used when logging into three applications: Office 365, BearWeb and Ignite. All other 100 or more applications that require DUO will only require a push acceptance without the six-digit code.

“[We’re] making sure to raise the bar,” Allen said. “We’re protecting the information we need to protect, but not pushing it so far that it becomes a massive nuisance for our community. We’re trying to balance that.”

The reason Information Technology Services chose these three applications stems from concern over the sensitive information they contain. BearWeb, for example, gives accessibility to credentials and the ability to redirect loan refund. In Ignite, paychecks for faculty, staff and student workers could also be redirected.

While it may expand to other applications, Allen said they hope to make it as minimal and as least invasive as possible while still maintaining a high level of security.

“That is what we’re pushing: making sure to minimize the occurrence of compromised accounts across our organization,” Allen said.

Students received the information email this morning. Temple sophomore Ellie Whitaker said she has never been a huge fan of the DUO process.

“DUO Push, for me, has been frustrating at times when I don’t have my phone,” Whitaker said. “I think the update sounds more of a hindrance than a blessing.”

Whitaker said she had overheard the possibility of changes to DUO in classes but was unsure about the specifics until the Monday email was sent out to students.

“While privacy is vital, I think students are looking for functionality and efficiency because we are busy,” Whitaker said. “I think we could find an easier way to make something safe.”

In addition to security updates, the interface will receive an update. The modern interface will work better on mobile browsers and give more features in the background. A screen entitled “Trust Browser” will also be available to remember a profile on a browser for seven days and reduce the number of times verification is required.

Every student, in anticipation of this change to security, will need to make sure that their current mobile device has the DUO Mobile app and that their device is enrolled.