Duo Notification Changes Designed to Better Protect You

On Dec. 12, we’re making important security changes to Duo notifications. Duo is Stanford’s multifactor (previously called two-step) authentication service that verifies your identity when logging into Stanford websites and applications. 

What’s changing?

• For everyone at Stanford: When you add or remove a device, you’ll now receive both an email and a Duo Push notification on your enrolled devices.
• For the Stanford Alumni Association and External Relations only: Instead of selecting “Approve” in the Duo app, you’ll be prompted to enter a three-digit code, or Verified Duo Push, shown on the login screen. 

Why this change? 

This additional verification helps to protect you from approving access you didn’t request. The Information Security Office has been monitoring recent cyber attacks on several peer institutions that use this sort of deception to gain access to systems. These attacks often use phishing emails that lead to fake login portals, as well as phone-based scams (vishing) where attackers pose as IT staff or colleagues to request credentials or security exceptions.   

How to protect yourself

Even with these Duo updates, vigilance is your best defense. Please keep these best practices in mind: 

• Be cautious with unprompted requests. University IT Service Desk staff will contact you only in response to a ticket you submitted, and legitimate communications will reference your specific request.
• Never share your password or Duo codes. No one from Stanford IT will ever ask for them.
• Approve only Duo Pushes you initiate. Deny any unexpected notifications and report them immediately via a Help ticket.
• Stay alert for phishing attempts. Be especially careful with messages about donations, donor lists, payment changes, or access requests. Always verify the full sender address, even if it appears to be from someone you recognize. Use the Phish Reporter button in Outlook (preferred) or forward suspicious emails to phishing@stanford.edu.
• Use Cardinal Key. Once you have configured Cardinal Key for authentication to Stanford services, you should never see Stanford login requests asking for username and password, and can be suspicious of any that do.
• Maintain strong, unique passwords. Review UIT’s password standards for guidance (and remember to update passwords regularly).
• Immediately report any suspicious activity to your local IT support and the Information Security Office. During holidays and after hours (outside 9 a.m. to 5 p.m. PST weekdays): Contact IT Operation Center (ITOC) via the #itoc channel on Stanford’s Slack, and submit a ticket with the University Privacy Office.