Verifying Your DUO Authentication for Enhanced Security at Tufts
Effective November 1, 2023, Tufts will implement a verification step for DUO for both push and phone notifications. Verifying your DUO authentication increases our security and will help protect you and secure your data from unauthorized access that you didn’t initiate.
How verification works
Currently, our DUO implementation makes it easy to accidentally accept a DUO push notification or press on any key to accept a phone notification. Attackers take advantage of human weakness by what is known as “push harassment” or “push fatigue” hoping that you pay less attention to the details or whether you initiated the action.
Verifying your DUO Authentication requires a simple but more conscious action before approving the login via Push or Phone call.
DUO Push: “Verified DUO Push” requires a user to input a verification code on the Duo Mobile app when approving a login request, rather than simply tapping Approve or Deny.
Verified DUO Push will be required for all web applications (i.e., Box, Zoom, etc.) that are Shibboleth-enabled*. All other applications (i.e., Tufts VPN, Windows servers, etc.) will use simple DUO Push NOT the “Verified DUO Push”.
Verified DUO Push uses the “remember me” feature, so you won't get the message for the next 30 days and then it will ask for a code again.
DUO Phone Call: The process to verify a DUO phone call will require you to press 1 to approve and 9 to decline a login; reducing any accidental keypad entries that could provide access to an attacker looking to steal your data.
*Shibboleth-enabled - Security measure for a website, application, or online service that checks if you're allowed to access it based on some specific information/criteria which protects our online spaces by making sure only authorized individuals or groups can gain access.