Wednesday, July 19, 2023
To help address multi-factor authentication fatigue attacks and the risks associated with users accepting false push notifications, EITS will turn on VerifiedPushin ArchPass, powered by Duo, for Office 365 and SSO applications, effective August 1, and vLab, effective August 7.
With the new VerifiedPush model, users who select Send a Push or have their Duo options configured to automatically send them a push will instead see a code displayed on their screen. They must enter this code into the Duo app on their Duo-enrolled smartphone or tablet to log in.
An interactive demo of Duo VerifiedPush is available on Duo’s website at https://demo.duo.com/verified-push. Once on the site, click “Next” to begin the demo.
This new process reduces the risk that a user will accidentally accept a false push notification if a bad actor gets their credentials and spams their device with login requests.
Other Duo authentication methods, including phone calls, passcodes via text and passcodes through the Duo Mobile App will not change. Users will also still have the option to remember their Duo credentials by selecting Yes, Trust Browser when they log in.
Duo VerifiedPush will also be available for logging into the Remote Access VPN at a later date.
For more information, questions and feedback about VerifiedPush, contact Lance Peiper at email@example.com.