The DUO Two-Factor Authentication (DUO 2FA) system will be changed on November 20 to enhance the university’s information security posture.
This change will impact all systems and services which require DUO 2FA.
Why is DUO 2FA Changing?
The current standard DUO 2FA authentication methods, DUO Push and Call Me, prompt us to approve login attempts by either selecting approve in the DUO Mobile App (Push) or by stating approve on a phone call (Call Me).
As nefarious actors’ tools for obtaining login credentials have become more advanced and numerous, the risk of your WashU account being compromised has risen.
If your WUSTL Key username and password were to become compromised it would be easy to accidentally approve a login attempt which you did not initiate using our current methods of Two-Factor Authentication.
The DUO 2FA changes detailed below will help mitigate the risk of your inadvertently approving a login attempt initiated by an individual with nefarious intent.
How is DUO changing on November 20?
DUO Push
Current DUO Push
- Enter your WUSTL Key Login information
- DUO 2FA Push sends a push to your enrolled mobile device
- Open the DUO App on your mobile device
- Select Approve
New DUO Push
- Enter your WUSTL Key Login information
- DUO 2FA Push displays a code on your screen
- Open the DUO App on your mobile device
- Enter the code presented in Step 2
Please ensure the DUO Mobile App has been updated on your device(s)
If the DUO Mobile App is not updated per the instructions below,
then you will not be able to authenticate using DUO Push on November 20.
How to View Your Operating System Version and Update It
- Android Devices must be running Android OS 8 (Oreo) or higher.
- Please visit Check & update your Android version for instructions.
- Use the Google Play store to update your DUO Mobile App to version 4.17 or higher
How to View your Operating System Version and Update it
- Apple iOS devices must be running iOS 13 or higher
- Please visit Find the software version on your iPhone, iPad or iPod for instructions on viewing the iOS your device is currently running.
- Please visit Update your iPhone or iPad for instructions on updating your iOS.
- Use the App store to update your DUO Mobile App to version 4.17 or higher
- Open the DUO Mobile App on your mobile device
- Select the Hamburger Icon in the upper left of the screen
- The Version number will appear in the lower left of this screen
Call Me and Passcode Available Via Exception Only
- If you currently use the Call Me feature please transition to using DUO Push. See the I use Call Me and need to set up DUO Push instructions to enroll your smartphone.
- The Call Me and Passcode features can be made available upon an approved exception request as they have been identified as significant security vulnerabilities.
- Exception Requests require review and approval by the Office of Information Security.
- Visit the Can I Still Use Call Me or Passcode Authentication page for more information on the exception request process.
Note: Current Passcode exception holders can continue using Passcode Authentication.
What other services are changing on November 20?
Connecting with Virtual Private Network (VPN)
- The Cisco AnyConnect Mobility Client will leverage the familiar WUSTL Key login and DUO 2FA using your device’s default browser.
- Please visit the https://live-it-washu.pantheonsite.io connect page for more information on Wash VPN
DUO Device Management Portal
- The DUO Device Management portal, currently in development, will allow you to add and remove authorized mobile devices for your DUO 2FA verifications.
- You may receive an email notification and a DUO Push notification when devices are added to or removed from your DUO account.
- This portal will be used to sign up for DUO as well.
New Authentication Methods are in Development
- We are currently developing alternate authentication methods to the DUO Push.
- Additional information will be distributed as these alternate methods are developed.
We thank you in advance for assisting us in enhancing information security at WashU.
While improved systems and processes can help improve the university’s information security posture, our collective efforts as people truly ensure it.