The Duo Security login experience is set to change for student workers, staff, faculty and affiliates this Wednesday.
Duo and USC announced on Tuesday that a new feature called “Verified Push” will replace the current “Push” feature, and Duo app passcodes will be eliminated as a sign-in option. Using Duo is required to access USC services online.
The removal of the passcode method will prevent users from accidentally accepting a login request, according to a university-wide email alert from USC ITS services. The current system is susceptible to what Duo calls “Push Harassment” — when a user is bombarded by repeated fraudulent login push notification requests.
Staff, faculty, affiliates and student workers will be required to use Verified Push, which makes users enter a three-digit verification code to complete the login process.
Students, who will not be required to use Verified Push, will see fewer changes. Besides some minor changes to the Duo login interface and the loss of the app passcode sign-in option, the core functionality will remain the same. Users will still be able to receive phone calls as well as SMS passcodes on their registered phone number, according to USC’s Keep Teaching Digital Campus website.
Nicholas Villanueva, a sophomore at USC majoring in biology, said that while the new changes will be annoying, they will ultimately make USC more secure.
“When it comes to cyber security, I guess it’s a step forward,” Villanueva said. “but I do think that there can be ways to make it a little faster than having to type in a whole passcode.”
Other students, like Doug Peterson, a sophomore majoring in computer science, showed less optimism for the potential benefits.
“I don’t think it’s going to make that much of a difference to be completely honest,” Peterson said. “I get you know, they’re trying to do stuff in the name of security. It’s going to annoy some people.”
To use Duo Verified Push, Android users must update to Operating System (OS) 10.0 or later, and iPhone users must be on iOS 14.5 or later according to USC’s Digital Campus website. There is a web-based option for Duo called the Universal Prompt authenticator, but it requires users to download additional software.
Erik Hanson, a postdoctoral teaching fellow in the Department of Political Science and International Relations, thinks having additional sign-in options that do not require a cell phone would be beneficial.
“At [UCLA], I did have two colleagues who did not have cell phones, and they found it very difficult to log in under this Duo Mobile system,” Hanson said. “I think having options for students with technological concerns or income concerns [which] makes it difficult for them to have a cellphone … is somewhat helpful.”
USC faculty and staff are mandated to undergo Information Security Awareness Training. The training covers topics like data protection, social engineering and password selection.
“I know that a lot of security incidents occur because of social factors where people are exposed to phishing attempts or other kinds of social engineering issues,” Hanson said. “I’m not sure if Duo Mobile fully solves the human element or the social element of some of these security issues.”