Duo: the New, Annoying, Secure Way

Tiana Meador

Beginning November 1, all students at the University (including UMN students, faculty, staff, and users with sponsored accounts) are required to enroll in Duo Security for their MyU account annual password reset (a phase-in that will last 12 months). 

But what does this actually mean? Well, upon logging in, you are required to go through a two-factor authorization, via phone, push notification, or code, which is generated within your Duo App. The process is quite irritating when you are short on time or without service for your device. However, cybersecurity is a rising problem, and although horribly annoying, this idea is well planned.

Duo’s website says, “For organizations of all sizes that need to protect sensitive data at scale, Duo’s Unified Access Security (UAS) solution is a user-centric zero-trust security platform for all users, all devices and all applications.”

Sure, your MyU account contains sensitive information, including payments, loans, employment documents (if you are an employee of the University), academics, and more. However, most students look past this fact and jump straight to the annoyance of getting into their accounts, neglecting the fact that Duo Security allows for a seven-day remembrance period.

“Passwords simply aren’t enough anymore. Over the past few years, phishing and identity-theft crimes have increased in higher ed. Some of our peer institutions have suffered large-scale phishing attacks. At our own University, faculty, staff, and students have had paychecks, tax returns, and financial aid stolen as a result of password theft,” says University of Minnesota’s IT page.

This is true, and it is scary.

One of the leaders in threat analysis is Symantec, whose staff say they “maintain one of the world’s most comprehensive vulnerability databases, currently consisting of more than 95,800 recorded vulnerabilities (gathered over more than two decades) from 25,000 vendors representing over 78,700 products.”

Through their Internet Security Threat Report (ISTR), they found that “A whopping 54.6 percent of all email is spam. Even more to the point, their data show that the average user receives 16 malicious spam emails per month, which leads to some scary math. Even if you only have 20 employees, that’s 320 times a month you have to trust in their ability to correctly scrutinize emails and make the right call,” The Barkly Team reports.

What is relevant to us is the relative click rates for most clicked lures. Although DocuSign and Dropbox accounts take the top two phished spots, University phishing stands at third, as reported by ProofPoint’s The Human Factor 2018 Report.

If you Google “Phishing University” you will find numerous articles spanning from University of Michigan to South Carolina University to Cincinnati University to Columbia University and even to recaps by The Washington Post. The threat is ubiquitous.

One account posted on University of Cincinnati’s website embodies how a simple university email, i.e. one that is from the student’s account and looks legitimate, can have a faulty link to login to an account, thus causing the student to unwittingly give up information.

Then the question is, how would Duo protect against phishing attacks if you are directly authorizing the login? According to Duo, the interface allows users to “inspect all devices used to access corporate applications and resources in real time, at the time of access, to determine their security posture and trustworthiness.”

Although this new interface is highly irritating to students, the idea of it does provide some food for thought. As we transition to an entirely digital world, all of our sensitive data is exposed to hackers.