Duo implementation increases security, adds time to students logins
Students can receive a push notification on the DUO app to verify their log-ins on Dartmouth accounts.
Information, Technology, and Consulting finished the migration of all accounts and services to Duo 2FA, a two-factor authentication program, on July 24. ITC switched to using Duo to create a more secure method for logging into Dartmouth accounts and services, replacing the old method of security questions for authentication. However, some students have voiced concerns about the system’s efficacy since its implementation.
According to interim senior director of information security Sean McNamara, Duo represents a massive security improvement over the previous use of security questions. He said that drawing from both “things you know” — like a NetID and password — and “things you have” — like a smartphone — improves the strength of authentication. The goal of adopting this procedure, according to the ITC, is to prevent hackers from stealing Dartmouth credentials and account information.
One of the benefits of Duo, according to the ITC’s website, is that there are several ways one can use to verify passwords. These include push notifications produced by the Duo 2FA mobile app, passcodes generated by a hardware token that can be purchased from the Dartmouth Computer Store, as well as text messages and phone calls to linked phones. All of these methods work, but McNamara recommended using push notifications from the app for the greatest level of security.
ITC asserts that the rollout for Duo has been generally successful, with only some minor problems that they are still working on fixing. However, not all students are satisfied with the implementation of Duo to their accounts.
“Every two weeks, it wants the two-factor authentication and I have to run and find my phone and [figure out] where it is and then get the push notification and touch it,” said Levi Roseman ’21 .
Roseman also said that while the system appears to be more comprehensive, it can also be redundant, especially when it asks for authentication for logging in from his phone.
Kevin Donohue ’21, the secretary of the Dartmouth Outing Club, said that Duo can create problems for organizations that utilize shared college emails.
“I recently set up an email for the DOC secretary and I had to setup Duo with it, so I didn’t know what to do with it [and] I linked it to my phone,” Donohue said. “Now, the next DOC secretary will have to contact me.”
Roseman also voiced similar concerns for organizational leaders, adding that Duo “sends a push notification to someone else’s phone and we don’t even know where that person is.”
Acknowledging these concerns, McNamara noted that the Duo staff has developed an exception to the system for shared organizational and institutional email accounts that meet the qualifications of being shared accounts.
“We can issue really what is the equivalent of a one-time password or a bypass password,” he said.
Another problem that has arisen according to some students is that pressing the “remember me for 14 days” button does not work as intended. According to McNamara, this issue is not the fault of Duo and instead may be due to students using different browsers or devices to login. Additionally, he suggested that all other problems with Duo be referred to the ITC general help desk.
Duo is also looking at rolling out some other methods of authentication for the system. McNamara said that Duo will soon allow the use of Apple TouchID and similar software for login purposes. Furthermore, McNamara said that ITC is currently working on linking emails for campus institutions and student organizations to personal logins to further simplify the login process.
“We hope to continue to improve the experience,” McNamara said. “I think we’re always looking for ways to improve the user experience with the services we provide, and that’s certainly the case with Duo.”