Notices
In an effort to better communicate with the Hamilton College community of ongoing information security notices and alerts this Notices and Alerts page seeks provide information on cybersecurity activity targeted at the Hamilton Community and the broader higher education community. Awareness and education are the strongest defense to stop malicious activity and protect Hamilton's systems, data, and people. For any information security concerns contact infosec@hamilton.edu.
Disallowing Duo app generated passcodes
March 10, 2023
Tags Duo MFA Phishing
Duo is the Multi-Factor Authentication solution that is used to protect Hamilton College information systems and data (https://www.hamilton.edu/offices/lits/rc/duo). The Duo mobile app allows for authentication to occur via Push (approving a notification sent to your device), Voice (approving via a telephone call to your device) or via a Passcode (6-digit number generated in the app).
The app can generate multiple passcodes that all remain valid until the most recent passcode is used for authentication. This presents a potential security gap specific to Duo app-generated passcodes. If an end user was phished and unknowingly supplied a Duo app-generated passcode to a spoofed website (such as in THIS example), that passcode remains valid and can be exploited unless and until a more recent passcode is legitimately used for authentication.
In reviewing Hamilton's information security posture as it relates to Multi-Factor Authentication, Duo app-generated passcodes are being disabled as an authentication method.
The Duo app can still be used for Push authentication; Duo Push will work over cellular or WiFi connected devices.
If you are in need of a Duo passcode, please contact the Hamilton College Help Desk to request a Duo hardware token at helpdesk@hamilton.edu or 315-859-4181.
---------------------
There will be no changes to Duo Push, Duo Voice Calls, or using the Duo Hardware Token for authentication. This change is limited to the Duo app-generated passcodes.
Comments
Contact
Contact Name
Jerry Tylutki
Director of Information Security and Privacy
No comments yet.
Comment Guidelines
Please log in to post a comment