Duo Mobile Passcode Authentication Option to be Disabled
Soon you will no longer be able to select Duo Mobile passcode as an option for Two-Step Authentication. If you use Duo Mobile passcode, you should switch to a more secure authentication option, such as Duo Mobile Push, or use a security key.
This change is scheduled to occur on Feb. 23, 2023, and will not impact other authentication methods that exist today.
What is the Duo Mobile passcode?
The Duo Mobile passcode authentication option allows you to authenticate with a numeric code generated by the Duo Mobile app. Unfortunately, the passcodes used in Duo Mobile app have been determined to be insufficient for addressing the security risk to systems and users' personal information.
Why are Duo Mobile passcodes no longer sufficient?
The Duo Mobile passcode remains valid until it, or a subsequently-generated passcode, is used. They are vulnerable to phishing attacks that are intricately designed to steal them before they expire, thus allowing malicious users to gain access to systems and user data.
What authentication options should I use?
Below are recommended alternative options:
- Security Key - Use a hardware-based device that plugs into your computer. To authenticate, tap the physical key — wireless access or a data connection is not required. These can be self-purchased and self-enrolled with no additional administration required.
- Duo Push - Send a push notification to your smartphone or tablet. To authenticate, tap Approve on the device.
Additionally, the following options continue to function:
- Yubikey passcodes - Tap the physical key to authenticate with a 44-character string. This option is not self-serve and requires administration from the Information Security Office (ISO) for proper setup.
- Hardware token - Use a battery-powered, physical token that generates a numeric passcode at the push of a button — wireless access or a data connection is not required.
- SMS text message passcodes - Send a text message with a single-use numeric code to your device. This less secure option may be disabled for users who access High Risk data.
- Phone call - Set up a mobile phone or landline to receive an automated phone callback to verify your identity. This less secure option may be disabled for users who access High Risk data.
How do I change my current default authentication method?
If you are using a browser that you previously used to authenticate, you will be presented with the last-used authentication method. To choose a different authentication method from what is provided initially in the prompt, select Other options and choose one of the other options available to you. New browsers will automatically present with the most secure option available such as Duo Push.
Duo Mobile is one of the multi-factor authentication tools Stanford uses to keep our systems safe and secure. To learn more about your two-step authentication options, visit the Two-Step Authentication website.