Security Updates to Duo in 2024

To protect against recent cyber threats, NAU is enhancing Duo Two-Step Verification protections for the NAU community.

NAU Computers now requiring Duo authentication for login

August 2024

Three-digit code now required for Duo Two-Step Verification

May 2024

August 2024

NAU Computers now requiring Duo authentication for login

Beginning on August 16th of 2024, NAU computers will require authorization through Duo to complete the login process. After you enter your NAU username and password on your device’s login screen, a Two-Step Verification prompt will be sent to your authorized Duo device for approval. Once you approve this prompt, you can finish logging into your device.

Why is ITS making this change?

Work from home, remote work, and hybrid work have changed the threat landscape when protecting University systems and assets. While on-prem systems are typically stored in controlled access environments with security above that of consumer-grade, our new landscape does not reflect this same level of protection. With more individuals spread worldwide, ITS must adapt our security practices to meet these new threats and increase our diligence to protect the campus community.

As the world has shifted to more remote and hybrid work different vulnerabilities and attack vectors have become more prevalent. By requiring Two-Step Verification at desktop logon, we can better protect information that is stored or accessible locally on workstations, better protect network shares and other systems and assets that do not currently support Two-Step Verification before access, assist with protection of sensitive information in the event of lost or stolen devices, and help protect from attacks such as keylogging.

Frequently asked questions & use cases

University community members will have an opportunity to select a checkbox during the login process to “Remember” their login, or until an environmental variable change requires a refresh of your credentials. Environmental changes that can impact your ability to be remembered include but are not limited to, joining a different wireless access point such as moving between offices or buildings, joining the VPN, or restarting your device.

Yes, Two-Step fobs will be usable for logging into workstations in a similar fashion as it would be with logging into CAS or other Microsoft services.

In the event that you forget your Two-Step authentication devices or if it is lost or stolen, you may call into the ITS Service Desk at 928-523-3335 to request a Two-Step Bypass code to use for the day. This code will allow you to access the workstations as well as other systems protected by Two-Step Verification.

Yes, at this time, you will still be required to Two-Step Verification into all other services and apps in the same way you do today. While we are working to improve some of these experiences in the future, the products currently do not talk to each other to pass along the Two-Step Verification.

Yes, Two-Step Verification is required for all interactive logon operations to workstations.

On Windows devices, Cisco Duo does not currently support Windows Hello, and you will not be able to utilize facial or fingerprint recognition.

On MacOS devices, Cisco Duo does not support fingerprint recognition on the initial logon of the system but will support subsequent authentications to unlock any existing session.

Classrooms and labs across campus will also be required to utilize Two-Step Verification at logon. Students will have the option to enable a short duration “Remember Me” option when logging into classroom and lab computers.

No, at this time, this change will not impact any servers or non-standard accounts. In the future, we will be evaluating remote and terminal services to determine if it is appropriate and prudent to deploy these same Two-Step Verification requirements to those systems and services.

No, at this time, this change will only impact University-owned and managed Windows and Mac workstations. However, it is imperative that any work that you do for the University is protected at the same levels. Local storage of university data on non-University owned and managed systems is not permitted. In the coming months, ITS will be further evaluating the utilization of BYOD systems to access University systems and data.

May 2024

Three-digit code now required for Duo Two-Step Verification

Beginning in late May of 2024, NAU employees (including student employees) and NAU Affiliates (including retirees and emeritus) must enter a three-digit verification code when logging into NAU services requiring Duo Two-Step Verification. Upon login, you’ll see a three-digit code in the Duo login prompt in your web browser and a push notification from Duo on your verified device to enter the code you’re given before allowing access.

Why is this happening?

Recently, NAU has observed cybercriminals in the higher-education landscape attempting to gain access to users’ accounts through a social engineering technique known as “MFA Fatigue”. This technique involves a malicious entity spamming a user with login attempts and subsequent Duo prompts until a user slips focus on the action and unintentionally approves an unauthorized prompt.

Frequently asked questions & use cases

Yes, you can still complete a verification request from your Apple Watch.

These updates will not impact the functionality of ‘Remember me’ when you transition between classrooms. However, you will need to physically carry your phone or Two-Step fob with you every time you visit a classroom.

This change only affects users who utilize the push verification functionality. If you use a fob, you won’t notice any changes to your login behavior.

Questions or concerns?

If you have a question or concern regarding this change, contact the ITS Service Desk and reference the updates to MFA for NAU employees.