Skip to main content
IT Community Partnerships Indiana University

Duo TOTP rolled out to all accounts on August 7

Posted on by mkleine

IT colleagues: 
  
What’s changing? On August 7, 2024, Indiana University will enable Duo time-based one-time passcodes (TOTP), a singleuse passcode that expires after 30 seconds, for everyone who uses mobile passcodes generated by the Duo Mobile app. UITS staff will be enrolled in TOTP a week earlier on July 31, 2024, to act as a pilot group for testing. This six-digit passcode is a different multi-factor authentication method from the three-digit Duo Verified Push, which is not affected by this change. 
  
Why the change? Attackers are aware that Duo mobile passcodes currently do not expire until they are used, or until a subsequent code is generated. These passcodes can also be used without alerting the account owner the way a push might. The University Information Security Office has seen passcodes phished along with username and passphrase and used weeks or even months later to access an account. The new one-time passcodes enhance security by ensuring that they are only valid for 30 seconds, making it much more difficult for attackers to use stolen codes. 
  
Who is impacted? This change will affect all accounts that use Duo Two-Factor Login (faculty, students, affiliates, staff, retirees, group accounts, etc.). 
  
Who is NOT impacted? 
  
* Individuals with a Duo exception on file 
 * The IU Indianapolis testing center 
 * Those who use single-button hardware tokens 
  
What actions do users need to take? No additional action is needed beyond promptly entering  Duo passcodes within the allotted 30-second expiration window. 
  
Can exemptions be granted? IT staff will be able to grant accessibility exemptions for their users via the Duo TOTP Exclusion Form starting July 12, 2024. Individuals with devices that can’t generate TOTP will not need to file an exemption, as their devices will still be able to generate the previous version of passcode. 
  
IMS will represent this change at Change Management on July 24, 2024. 
  
For more information about Duo, refer to the Knowledge Base. 
  
IT support staff may contact the UISO (uiso@iu.edu) with questions. Others with questions can contact their campus UITS Support Center or local UITS staff. 
  
–ITCommunity Partnershipson behalf of the University Information Security Office

Skip to toolbar