MFA: Duo Security Enhancement with Verified Push
What is a Verified Duo Push?
If you currently use Duo Mobile push approval, in most cases, your experience will be replaced with the Verified Duo Push experience.
With the Verified Duo Push experience, the Duo Universal Prompt displays a numeric code three to six digits in length on-screen. You will need to enter this numeric code in your Duo Mobile Application.
This is similar to functionality that you may have already experienced in other products such as the Google Authenticator or the Microsoft Authenticator. This feature protects you from approving login requests not made by you and helps keep your accounts and information safe.
| Example: |
|
Enter the code shown on your screen into the Duo Push request received on your Android or iOS device. Android users only: tap Verify to finish approving the login request. |
How Do I Use Verified Duo Push?
When logging in to university applications, you’ll receive a prompt to log in using Verified Duo Push, which can reduce the chance that a push sent by an unauthorized person will accidentally be approved.
To authenticate with Verified Duo Push, please follow the instructions below.
1. Sign in with your UT EID and EID password.
2. A code will appear on your login screen.
3. Check your authentication device for a Duo notification and open it.
4. Enter the three-digit Duo mobile code into the Duo Mobile app on your authentication device (phone, tablet, or compatible smartwatch).
5. Select ‘Verify’.
6. Next, confirm the device verification prompt in your browser.
7. Once authenticated, the browser will log you into the application.
What Authentication Methods Are Approved?
For more information on approved authentication methods, please visit: Available Authentication Methods
What Authentication Methods Are No Longer Approved?
Authentication methods no longer approved are:
- Duo Mobile push approval (replaced by Verified Duo Push September 26, 2023)
- SMS passcodes
What's Changing with the UT VPN Service?
At this time, the only change being made to signing on to the UT VPN is that you will no longer be able to use SMS passcodes.
On a future (TBD) date, the UT VPN will be upgraded to support Verified Duo Push. At that point, Duo Mobile push approval will no longer be supported.
More information will be shared once it has been finalized.
How Do I Obtain and Configure A YubiKey?
1. If you’d like to purchase a YubiKey to use with Duo, you can do so at the Campus Computer Store, located on the ground floor of the Peter T. Flawn Academic Center (FAC). For ease of use, please select or request a Yubikey model with the description: "Can only be used with UT MFA Service".
2. Immediately after receiving your UT MFA Service YubiKey, visit the In-Person UT Service Desk (located in the FAC Lobby; store staff can direct you if needed) and ask to have it associated with your Duo account as a hardware token.
- If you do not perform the previous step, you will need to contact the UT Service Desk by phone at 512-475-9400 and ask to have your UT MFA Service YubiKey associated with your Duo account as a hardware token.
How Do I Use a YubiKey to Authenticate?
In the previous step, with the assistance of the UT Service Desk, your YubiKey was configured in your account as a hardware token, one of the approved authentication methods.
| Example: |
|
When authenticating to the UT VPN, place your cursor in the Duo Passcode field and tap your YubiKey. Acting as a hardware token, the YubiKey will automatically generate and enter a secure passcode to allow you to authenticate. |
How Can I Use My YubiKey As a Security Key?
Though your YubiKey is associated with your Duo account as a hardware token you may, in addition, register (and use) your YubiKey as a WebAuthn/FIDO2 security key.
To add your Yubikey as a Security Key, please refer to the instructions below:
1. First, visit the university's MFA Self-Registration Portal (You will need a different registered device handy to authenticate)
2. Authenticate, then select the Manage devices option to add new devices or remove existing devices. You will first be prompted to authenticate.
3. Follow the on-screen instructions to add a new device. Your YubiKey is recognized by Duo as a WebAuthn/FIDO2 security key.
- Note that WebAuthn/FIDO2 security keys require that you use an up-to-date version of Chrome, Safari, Firefox, or Edge.
4. Additional information and instructions can be found on the Duo Universal Prompt guide in the Add Another Device and Security Key sections.
Frequently Asked Questions
What App Versions Are Required to Run Verified Duo Push?
Verified Duo Push requires:
- Duo Mobile 4.16.0 or later on Android 8 or later.
- Duo Mobile 4.17.0 or later on iOS 13 or later.
For more information on Verified Duo Push requirements, please visit: App and Mobile Device Support for Verified Duo Push
Am I affected by this change?
First, this change will only impact staff in the Information Security Office, the IT Transformation organization, and Technology Resources (TRecs). Impacted customers will be proactively notified well in advance of any changes to their accounts.
Second, these changes only affect you if you use Duo Mobile push approval and/or SMS passcodes for Multi-Factor Authentication (MFA).
When will this policy go into effect?
This policy went into effect on September 26th, 2023.
How much does the YubiKey cost?
If you are part of the group of identified holders of administrative/special access accounts, your information has been provided to the Campus Computer Store. Each individual on that list is entitled to receive one YubiKey at no cost from the store.
The cost of replacement for lost or damaged YubiKey will be borne by the individual. Costs are set by and can be obtained from the store.
I am a full-time remote worker. How do I get my YubiKey?
Employees residing within the greater Austin area (Bastrop, Blanco, Burnet, Caldwell, Fayette, Hays, Lee, Llano, Travis, and Williamson counties) will need to travel to campus in order to obtain their YubiKey from the Campus Computer Store.
Employees residing outside of the Austin area will have their YubiKey sent to them.
Specifics will be arranged with the employee's department.
May I use my own YubiKey/security key?
You may use supported YubiKeys for WebAuthn/FIDO2 authentications, however, you will not be able to use them as a hardware token for generating passcodes (i.e., for connecting to the UT VPN).
The YubiKeys provided by the Campus Computer Store have been preloaded into the university's Duo instance and are ready to be associated with UT EIDs.
No process currently exists for registering your personally-owned security key as a hardware token though discussions are ongoing.
Where can I find more information about Verified Duo Push?
Visit the Verified Duo Push section on Duo's Universal Prompt guide.
Why is this change happening?
This change is being made in response to information security audit findings in order to bring the university's practices into closer alignment with existing policies, regulations, and best practices.
Can I plug my YubiKey into my phone?
It depends.
The best place to get this information is in Yubico's Physical Interfaces: USB, NFC, Apple Lightning® documentation.
For additional information, please contact Yubico support.
Where can I get help?
Front-line support is provided by the UT Service Desk. You can contact the UT Service Desk at 512-475-9400 or help@utexas.edu. Alternatively, you can visit the In-Person UT Service Desk located in the FAC Lobby.