Duo 2FA Best Practices

Duo two-factor authentication is a multi-step account login technology that requires users to enter more information than just a password. It was deployed for the University community as a security enhancement and provides better protection against stolen credentials by requiring a second confirmation before access is granted.  Scammers have found ways to trick people into giving up access.  One technique is to log in with stolen credentials and trigger a 2FA request.  This continues repeatedly until the account holder finally clicks “Accept.”  Another is to send targeted phishing messages with a fake log in page to steal credentials and then a spoofed Duo page to capture Duo passcodes, which can still be used.

While Duo adds a second factor, individuals still need to be vigilant.  The additional check is only effective if account owners decline access when they did not initiate the request.  The ITS Security Office has published information about how to assess an authentication request and what to do if an individual suspects that they inadvertently granted access to someone else: security.uconn.edu/2023/03/13/duo-sound-the-alarm.  We ask that you share this information with others in your area and encourage best practices.