IT Professionals:
What’s changing? On Tuesday, August 1, Indiana University will enable Duo verified push for all staff members for services that use the universal Duo prompt like IU Login and IU Azure. When an individual logs into an application that uses Duo verified push, they will be shown a three-digit number on the screen of the device from which they are logging in. They will then have to enter those three numbers into the Duo Mobile app on their authentication device to approve the push. You can view the interactive demo provided by Duo to see what this interaction looks like.
Because of the extra assurance provided by Duo verified push, if you use the remember me option, you will only have to verify push requests every 30 days.
Who is impacted? The deployment of this change will be to all IU staff. Group accounts are not impacted. This is a follow-up to the rollout to UITS staff in May.
Why the change? Duo verified push provides additional protections against attackers sending unsolicited pushes trying to gain access to accounts of targeted individuals. This tactic is an emerging threat that we have seen widely used over the past year at IU.
Can my clients request an exemption? We will have an exception process for clients to request exemption (a form to be created toward the end of July). Reasons for an exemption include owning an outdated device that is unable to handle Duo verified push.
For more information about Duo verified push, refer to the KB Use Two-Step Login (Duo) with verified push (log in to see) and Duo’s description of Duo verified push.
For questions, please contact the University Information Security Office at uiso@iu.edu.
–IT Community Partnerships on behalf of University Information Security Office