IT Professionals:
What’s changing? On Monday, May 15, Indiana University will be enabling Duo Verified Push for all UITS employees for services that use the universal Duo prompt like IU Login and IU Azure. When an individual logs into an application that uses Duo Verified Push, they will be shown a three-digit number on the screen of the device from which they are logging in. They will then have to enter those three numbers into the Duo Mobile app on their authentication device to approve the push. You can view the interactive demo provided by Duo to see what this interaction looks like.
Because of the extra assurance provided by Duo Verified Push, if you use the remember me option, you will only have to verify push requests every 7 days.
Who is impacted? The initial deployment of this change will be to UITS employees. If you are aligning into UITS, but have not moved yet, you will not see this change until you officially move into UITS.
Why the change? Duo Verified Push protects someone from accidentally approving login requests when they aren’t actively logging in. This will provide additional security against attackers gaining access by sending unsolicited Duo pushes to targeted individuals. This tactic is an emerging threat that figured prominently in the Uber compromise of 2022, among others.
For more technical information about Duo Verified Push, refer to Duo’s description of Duo Verified Push.
For questions, please contact the University Information Security Office at uiso@iu.edu.
–IT Community Partnerships on behalf of University Information Security Office