From the CIO

February 2024 CIO Update

Happy Leap Day! For this month’s report, I would like to highlight a fairly large change we are instituting next month to enhance security while continuing to modernize our authentication systems and processes.

Embracing Enhanced Security: Transitioning to DUO Universal Prompt with Verified Push

As we navigate the evolving landscape of cybersecurity, it’s paramount that we stay ahead of potential threats while ensuring seamless access to our digital resources. To this end, we are excited to announce a significant upgrade in our authentication processes. We’re moving from the traditional DUO integration for our Single Sign-On (SSO) portal to the advanced DUO Universal Prompt, with a special focus on the Verified Push option. This transition is not just an upgrade; it’s a leap towards bolstering our defenses and enhancing user experience.

Why the Change?

The traditional DUO integration has served us well, providing robust two-factor authentication (2FA) that added an essential layer of security to our login processes. However, the cyber threat landscape is dynamic, and over the years, threat actors have gained abilities to bypass traditional 2FA solutions. One of the common methods for defeating traditional 2FA solutions is by repeatedly harassing a victim with Push requests, in hopes that the victim will approve the login request. This technique is often referred to as the MFA harassment or MFA fatigue attack.

In addition to the security weaknesses in the traditional 2FA solutions, DUO is also retiring traditional 2FA, thus prompting its customers to move to the Universal Prompt solution.

Introducing DUO Universal Prompt with Verified Push

The Universal Prompt is the next step in DUO’s evolution, designed with both security and simplicity in mind. It offers a cleaner, more intuitive user experience that simplifies the authentication process. But the real game-changer is the Verified Push feature.

As we’ve become accustomed to constantly verifying login attempts, the risk of inadvertently approving a fraudulent request increases. Verified Push combats this by providing detailed context for each authentication request. You’ll see not just a prompt to approve or deny access but also information on the application, location, and device attempting to access your account. This added layer of detail empowers you to make informed decisions, drastically reducing the likelihood of falling prey to sophisticated phishing attacks.

What This Means for You

For individuals using DUO Push for their VCU authentication, this transition means a smoother, more secure login experience. The days of deciphering cryptic authentication requests are over. With Verified Push, you’ll have clear, actionable information at your fingertips.

Specifically, you will experience the following changes once you authenticate through our Central Authentication Service. rather than being prompted with the traditional screen for sending a DUO Push notification to your phone, you will be prompted with a 5-digit code.

Following the initiation of the DUO Push request, you will be asked to enter the same 5-digit code from your login screen on your mobile device instead of tapping Approve button to proceed.

When Will This Happen?

Transitioning to the DUO Universal Prompt with Verified Push will occur in March 2024. Additional information related to the change can be found at DUO Universal Prompt | Technology Services | VCU. Further communication will be going out when a firm date is set for this transition. Thank you for your help and cooperation in keeping our community safe from cyber threats.

Please stay tuned for further updates.

Alex