Security Update to Duo 2FA

2FA adds a second layer of protection to the login process.  The first factor is a normal UConn credential pair (username and password), and the second factor is the Duo enrolled device.  Together these make it much harder for a threat actor to access an account and its associated data.

One way you can authenticate on Duo is with passcodes.  Previously, Duo issued hash-based one-time passcodes (HOTP).  These did not expire until used.  While this gave people more time to complete their authentication, it also potentially gave hackers more time to use stolen codes and compromise accounts.  Because of this vulnerability, Duo has made time-based one-time passcodes (TOTP) available.  They expire after use or if 30 seconds have elapsed, whichever occurs first.  The latter are an industry standard and are strongly preferred over the former.  Next week, ITS will formally deprecate HOTP access codes in favor of TOTP access codes.  The new TOTP passcodes require Duo Mobile version 4.49 or newer.  We will be reaching out directly to community members who may need to update their mobile app.