43F3E567-FFDF-97F2-5210965A481A0307
BE95A4E6-A3C1-4451-929CFB99DCA22FBA

In an effort to better communicate with the Hamilton College community of ongoing information security notices and alerts this Notices and Alerts page seeks provide information on cybersecurity activity targeted at the Hamilton Community and the broader higher education community. Awareness and education are the strongest defense to stop malicious activity and protect Hamilton's systems, data, and people. For any information security concerns contact infosec@hamilton.edu.

Disallowing Duo app generated passcodes

Duo logo
Duo logo
Tags Duo MFA Phishing

Duo is the Multi-Factor Authentication solution that is used to protect Hamilton College information systems and data (https://www.hamilton.edu/offices/lits/rc/duo). The Duo mobile app allows for authentication to occur via Push (approving a notification sent to your device), Voice (approving via a telephone call to your device) or via a Passcode (6-digit number generated in the app). 

The app can generate multiple passcodes that all remain valid until the most recent passcode is used for authentication. This presents a potential security gap specific to Duo app-generated passcodes. If an end user was phished and unknowingly supplied a Duo app-generated passcode to a spoofed website (such as in THIS example), that passcode remains valid and can be exploited unless and until a more recent passcode is legitimately used for authentication.

In reviewing Hamilton's information security posture as it relates to Multi-Factor Authentication, Duo app-generated passcodes are being disabled as an authentication method.

The Duo app can still be used for Push authentication; Duo Push will work over cellular or WiFi connected devices.

If you are in need of a Duo passcode, please contact the Hamilton College Help Desk to request a Duo hardware token at helpdesk@hamilton.edu or 315-859-4181.

---------------------

There will be no changes to Duo Push, Duo Voice Calls, or using the Duo Hardware Token for authentication. This change is limited to the Duo app-generated passcodes.

No comments yet.



All Entries

Contact

Contact Name

Jerry Tylutki

Director of Information Security and Privacy

Help us provide an accessible education, offer innovative resources and programs, and foster intellectual exploration.

Site Search