Important Duo Security Enhancements

Publish Date

2024-07-15

Duo Security Enhancements to Duo Mobile Generated Passcodes and Device Management Communications

What is happening?

In our continued efforts to improve Duo 2-Factor Authentication configuration for enhanced security and usability, starting July 17, 2024, Duo Mobile generated passcodes will have a 30-second expiration limit.

Additionally, users will now be notified by Duo Mobile Push, when a new device is added to or removed from their Duo profile.

Why is this happening?

We are implementing this change to enhance security and address recent cyberattacks targeting the university community. A 30-second passcode expiration aligns with the industry standards and best practices and helps protect against cyberattacks that leverage non-expiring passcodes.

Additionally, Duo device change notifications will alert users to suspicious activity indicative of a compromised account and prompt action.

What do I need to know?

After the change, Duo Mobile generated passcodes will expire 30 seconds after being generated and, depending on the application, will be usable for up to 60 seconds.

What do I need to do?

Take immediate action to change your password and review your Duo devices if you receive an unexpected notification that your Duo devices have been modified.

Duo Mobile generated passcode users should be mindful of the countdown timer indicating how many seconds it takes until the passcode is refreshed. Passcodes are refreshed every 30 seconds.

For ease of use, it is highly recommended that Duo Mobile Push notifications be used in place of Duo Mobile-generated passcodes. Duo Mobile Push notifications are easier to use and more secure.

Remember, receiving an unsolicited Duo authentication request or notification could be a sign that your password is compromised. By denying the Duo request, you've allowed Duo to protect your account. It's imperative that you immediately change your password to stop the cyberattack and secure your account.