Students will lose the ability to authenticate into their Duke account by phone call or SMS on March 18, requiring them to set up Duo Mobile or Duke Unlock.
The changes, which went into effect for faculty and staff Friday, come as part of an Office of Information and Technology effort to enhance cybersecurity within the Duke network. For community members who currently rely on SMS messages or phone calls for multi-factor authentication (MFA), OIT instructs users to download Duo Mobile or Duke Unlock and register eligible mobile devices before March 18.
“Cybersecurity is always evolving,” Chief Information Security Officer Nick Tripp said. “Attackers are always adapting new methods, and we have to adapt accordingly.”
Currently, when logging into certain Duke websites, users can verify their identity by entering a code received via SMS, accepting a phone call and pressing a key, or entering a passcode from Duo.
However, Tripp explained that SMS messages and phone calls are not encrypted, so they are less secure than other methods of authentication like Duo. Although hackers can compromise phone or SMS-based codes, there is no way to infiltrate Duo, which requires users to take action by accepting a push notification on their mobile device.
“Anything that's based on codes is a bit easier for attackers to take advantage of because it's a piece of information,” he said. “… With a push notification like Duo, there's nothing for them to get and then use.”
Additionally, Tripp shared that the National Institute for Standards and Technology no longer considers SMS and phone-based MFA to be secure. He added that Duke is required to comply with NIST standards for certain types of federal data used for research, but that regulations may soon extend beyond this scope.
Tripp said the University is not alone in implementing these changes, even if “people may be hearing about it at Duke first.” For example, Google will soon no longer allow SMS messages as a valid MFA method on its services.
OIT also plans to make MFA required regardless of location, whereas users can currently alter their settings to make it optional when on campus, according to Tripp. This change will take effect March 31.
“We now know that it only takes one device somewhere at Duke being compromised for an attacker to then have access to our network through that device,” he said.
Get The Chronicle straight to your inbox
Sign up for our weekly newsletter. Cancel at any time.
Dylan Halper is a Trinity first-year and a staff reporter for the news department.