The University of Wisconsin-Madison’s Department of Information Technology (DoIT) announced plans to update their Duo Multi-Factor Authentication (MFA) service in January, which will change the appearance of Duo’s security prompt, DoIT said in a Nov. 13 press release.
The update, named Duo Universal Prompt, promises faster access to campus services via changes such as faster push notifications, support for more languages and an option to access Duo through the URL instead of UW-Madison’s NetID website.
“The new version of MFA-Duo scheduled to roll out next year includes new features, such as remembering your preferred authentication method and reducing clicks for sending a push notification,” Will Burns, DoIT director, told The Daily Cardinal.
The changes come as some student Duo users report accessibility concerns with the platform
Megan Novotny, a UW-Madison senior who works for the School of Human Ecology as a financial coaching mentor, had difficulty accessing essential material for both classes and work after her phone was stolen in spring of 2022.
With her Duo operating system set up on her then-stolen phone, Novotny had no access to her assignments, email and software for both classes and work.
“I was falling behind. I couldn't read any of my textbooks because they're all online,” Novotny said. “If I wanted to get onto Cengage, I couldn't because you have to go specifically through Canvas for that.”
To log into Canvas, the university’s primary platform for accessing assignments and related school-material, students must go through Duo’s MFA process.
UW-Madison rolled out Duo on Sept. 9, 2019, as a mandated measure toward ensuring better cybersecurity for the campus community.
“Nearly all compromised email accounts the UW-Madison Office of Cybersecurity identifies are accounts that are not protected by MFA (for example, former student accounts),” said Jamie Gutkowski, UW-Madison director of user services. “These compromised accounts can be used maliciously by hackers to send phishing emails or other attacks.”
According to a 2019 news release by DoIT, the 4,946 stolen NetIDs and 92,483 phishing reports from campus members the previous year formed a major reason behind UW-Madison’s Duo mandate.
“The fact is that passwords alone are not good enough to protect sensitive data, personal information and UW-Madison’s online data,” UW-Madison said at the time.
“MFA does not eliminate the need to remember a password,” said Allen Monnette, UW-Madison associate director for cybersecurity operations. “It adds an additional layer of security by also requiring Duo authentication to make it more difficult for a hacker to attack an account.”
Duo’s MFA must be administered through a smartphone or tablet, with a token/fob and security key existing as alternatives, according to the 2019 press release.
According to UW-Madison’s Identity and Access Management Knowledgebase, students must contact the DoIT Help Desk to request a token/fob or security key.
Once her phone was stolen, Novotny couldn’t coordinate an alternative means of accessing her school work with DoIT due to the DoIT Help Desk’s limited spring recess hours.
“DoIT had reduced hours during that period of break, so they were pretty much closed,” Novotny said. “I was freaking out trying to contact them by email and calling, because my Duo mobile was linked to my [stolen] phone.”
Initially, Novotny couldn’t set up her Duo on another device because the service required her to access the previously registered device (her stolen phone) for identity verification.
“I emailed them with my regular email, which didn't go very well because I think they thought it was spam,” Novotny said. “And it just took a really long time for me to get through to them.”
Ultimately, using her newly bought phone and with DoIT’s assistance, Novonty was able to regain access to Duo.
“I'm very lucky that I was in a position to have the money to go pay for and activate a new phone,” Novotny said. “It was definitely a very scary experience because everything is essentially connected online, and everything is specifically through Duo Mobile.”
Braca said these situations — questions and requests to DoIT about Duo — are becoming less common.
“With MFA becoming such a common technology, more and more students, faculty and staff understand the benefits and know how to use the technology,” Braca said.