Last Monday all students at Oregon State University received yet another email regarding a change to the Duo authentication security system.
This change in our security will take place on May 8. What exactly will change?
Those who use their phone to authenticate with Duo and use the three-digit code will see no change in the way they use Duo, said OSU Chief Information Security Officer David McMorries.
“We have added two options for people to authenticate as well,” McMorries said in an email. “A FIDO2 security key (such as a YubiKey) can be used and there is a method to obtain a one-time code for those with no other option to authenticate.”
McMorries explained the only remarkable change that will take place is that they will be retiring the Duo six-digit passcode option.
“For students that use the three-digit Verified Duo Push, they will enjoy the use of the Duo app as they have used it since last fall,” McMorries said. “The three-digit Verified Duo Push is a very secure authentication method that helps defeat cyber attackers. For those who move from the use of the old Duo ‘fob tokens’ or the six-digit passcode in the Duo app, they will see much better protection and can feel much better protected from phishing attacks.”
According to McMorries several hundred thousand phishes are prevented from reaching OSU email accounts in any given month. Several thousand additional phishes are reported by OSU community members and acted on by the OSU Information Security team.
His biggest concern with this affecting students is the phishers getting valuable financial or security information from the students. Phishers are known to act as OSU officials offering employment to students and asking for bank information or personal information from the student.
It is believed that retiring this six-digit option will provide much stronger security for OSU, particularly from these phishing attacks.
“Making this change was needed to protect the community against these aggressive phishing attacks,” McMorries said. “I have to thank the entire OSU community for their support in this effort.”
For more information on the passcode change visit this site.
If you have any questions about the legitimacy of an email, you can contact [email protected] or report suspicious emails using the “Report a Message” tool in Outlook, Outlook Web Access or Outlook Mobile.