Important update: SMS MFA method in Duo is being retired
by 色情网站 IT Services |
Transition to stronger and more secure authentication methods
Students, we are writing to inform you of an important update regarding Duo's multi-factor authentication (MFA) methods. Starting July 1, 2025, the SMS-based MFA method will no longer be available in Duo. This change is part of our ongoing effort to prioritize user security by transitioning to more reliable and resilient methods of authentication.
For employees and students, please note that the phone MFA method will remain available until Jan. 1, 2026. This option provides some additional time for users to transition to more secure MFA methods.
IMPORTANT: If you are currently only using the SMS MFA method, don鈥檛 wait to register an additional method to avoid being locked out of your account. Contact 色情网站 IT Services if you need help enrolling a second method.
Phishing-resistant MFA methods
As we phase out SMS MFA, we strongly recommend that you take this opportunity to adopt phishing-resistant MFA methods, which offer enhanced security and are aligned with modern best practices. The following options are available for Duo users:
1. Verified Push
Verified Push adds an extra layer of security to the traditional push notification by requiring a verification step, such as entering a code displayed on your device. This method significantly reduces the risk of phishing attacks.
2. Hardware tokens
Hardware tokens are physical devices that generate one-time passcodes or connect directly to your system via USB, NFC or Bluetooth. These tokens are inherently phishing-resistant and provide an excellent level of security.
3. Touch ID
If you have an Apple device, Duo will allow you to enroll Touch ID as a factor. This option can be convenient, but it is tied to that specific device. You should never use this option by itself.
Guidance for setting up phishing-resistant MFA methods
To ensure a smooth transition to these secure methods, please follow the steps below:
- Log into and navigate to Security Settings.
- Select the option to Enable verified push or Hardware keys. Note, students can request a hardware token from 色情网站 IT Services. Hardware keys are prioritized for anyone with ADA accessibility concerns related to SMS going away and difficulty using the newer methods that are available.
- Follow the prompts to configure your preferred phishing-resistant MFA method.
- For Verified Push: Ensure you have the Duo Mobile app installed on your smartphone. It can be downloaded from the Apple App Store or the Google Play Store.
To set up Touch ID or FIDO2 hardware keys (commonly referred to as YubiKeys) follow the steps at this .
- For Touch ID: Note that Duo calls the option Touch ID in the interface, but if you choose that option it will also allow you to register it with your password manager of choice on any type of device. 1Password and Keeper are two that 色情网站 IT Services recommends. If you choose to register it in a password manager, it does become portable and can be used from any device where that password manager can be used.
- For Hardware Tokens: Students can request a hardware key from 色情网站 IT Services, then register your token in the Elmo portal or if you鈥檝e purchased one yourself you can register it with Duo by following the instructions in the KB article linked above.
Test the new method to confirm it works as expected.
Additional support
We understand that transitions can be challenging, and we are here to help! If you have any questions or need assistance setting up a phishing-resistant MFA method, please contact our support team at (907) 786-4646 or by emailing uaa.techsupport@alaska.edu.
Next steps
We urge all users to begin transitioning to a phishing-resistant MFA method as soon as possible to ensure uninterrupted access to Duo. By doing so, you will not only enhance your account security but also comply with modern authentication standards.
Thank you for your cooperation and commitment to maintaining a secure environment. Together, we can ensure a seamless and safe transition to the next generation of multi-factor authentication.