Topics in this article
- Benefits of Duo Verified Push
- Getting started with Duo Verified Push
- Using Duo Verified Push during login
- Additional questions and considerations (travel and other options)
Benefits of Duo Verified Push
Bad actors (aka hackers) are now successfully targeting Duo two-factor authentication. Previously, attackers would use phishing emails or spyware to obtain your username and password but be unable to access UW resources when they were asked to complete two-factor authentication. Tactics have changed. Now, once an attacker has obtained your username and password through phishing, they will try to login and initiate the Duo push process, often at inconvenient times when you are likely to just tap approve on your phone. Attackers are also contacting their targets directly, trying to trick them into approving their login attempt. These tactics are becoming more successful, potentially allowing attackers access to resources and data.
UW employees are receiving additional protection with the implementation of Duo Verified Push, which enhances security by requiring you to enter a specified code in your Duo Mobile app on your mobile device during the login process.
Getting started with Duo Verified Push
If you have already installed the Duo Mobile app on your smartphone and are using it for push authentication, then there is nothing else that you need to do to start receiving verified push! Read the next section to learn how to use verified push. (*Make sure that you are using a supported version of the Duo Mobile app. See Additional Questions at the bottom of this article.)
If you are not using the Duo Mobile app for push authentication, you will need to install the app and enroll your mobile device. For assistance, see Two-Factor Authentication at the University of Wyoming - How to Enroll.
Using Duo Verified Push during login
To see how Duo Verified Push works, try this interactive demo: https://demo.duo.com/verified-push (Once on the site, click “Next” to begin the demo and then interact with the example login.)
Steps to use Duo Verified Push are provided below:
1. Begin your normal UW login process.
2. In your web browser, Duo will provide a temporary verification code. Simultaneously on your mobile device, the Duo Mobile app will ask if you are logging in. Tap this prompt on your mobile device to continue. (Note that the “Other options” link can be used to select other enrolled devices and two factor authentication methods that you have previously set up.)
3. Enter the provided verification code into your Duo Mobile app on your mobile device and then click Verify. This code will be unique each time you receive a verified push. IMPORTANT! If you are not currently trying to login and receive this prompt in Duo Mobile, then click “I’m not logging in” which will deny access to a potential hacker and allow you to report a suspicious login. It is important to report this as it means that your password has been compromised.
4. After you have entered the code, you will be asked if you Trust this browser? If you are using a shared/public computer, select “No, do not trust this browser.” This will prevent others from taking over your session after you leave the computer. If you select "Yes, trust browser" you will not be prompted for Duo authentication in this browser for 10 days.
5. Once the code has been verified, your access will be approved and login is complete!
Additional questions and considerations
Is two-factor authentication required? Can I opt out?
You will need to use two-factor to login for both the safety of your data and the safety of the university community. There is no opt out procedure.
How do I use two-factor if I am out of the country or on sabbatical?
The Duo Mobile app can be installed on most smartphones as well as on Apple and Android tablets, and Duo Mobile Verified Push works anywhere with internet connectivity (you do not need cell service).
If a smartphone or tablet is not an option, a hardware token (or key fob such as a YubiKey) can provide secondary authentication. To find out more, read our article How to enroll and use a Two Factor device (fob) to authenticate or contact the UWIT HelpDesk.
Will Duo Verified Push work on an older smartphone device?
For old or outdated devices, UWIT encourages employees to upgrade their phone. To log in with Duo Verified Push, employees will need:
- Duo mobile version 4.16.0 or later on Android 10 or later
- Duo mobile version 4.17.0 or later on iOS 13 or later
To see which version of Duo Mobile is installed on your device, open the Duo Mobile app and tap the menu icon. The app version will be displayed in the bottom left corner.
What if I do not have a mobile device (such as an Android or iOS smartphone or tablet) to use the Duo Mobile app?
An alternative to using a mobile device for two-factor authentication is a hardware token (a key fob such as a YubiKey). To find out more, read our article How to enroll and use a Two Factor device (fob) to authenticate or contact the UWIT HelpDesk.
If you are unable to use a smartphone, tablet, or hardware token for authentication, you can discuss options with the UWIT HelpDesk or submit a request for exception.