Duo – Passcodes Disabled May 8

Summary

Passcode authentication, which uses a numeric passcode generated by a hardware token or the Duo Mobile app, will no longer be available starting May 1, 2024. This method has been identified as vulnerable to phishing attacks. If you use passcodes generated by a hardware token or Duo Mobile, please switch to a different authentication methods.

Body

Issue/Question

Note: Verified Duo Push, which displays a 3-digit verification code you enter in the Duo Mobile app to authenticate, is a recommended authentication method and is not impacted by this change.

This change is to phase out the use of 6-digit codes generated by Hardware Tokens or the Duo Mobile app passcode generator. Images of each are included below. 

  • Why can I no longer use six digit passcodes to authenticate with Duo?
  • Why is my hardware token no longer working to authenticate with Duo?
  • Why can I no longer use the six digit passcodes I generated from the Duo Mobile app? 
  • How do I authenticate with Duo now that passcodes are disabled? 
  • How do I authenticate with Duo when I don't have an Internet connection? 

Environment

  • Oregon State University
  • ONID Login

Explanation

Passcode authentication, which uses a numeric six-digit passcode generated by a hardware token or the Duo Mobile app, will no longer be available starting May 8, 2024. This method has been identified as vulnerable to phishing attacks.

Here are examples of the passcode generator methods that will no longer be available:

Hardware Token Passcode Generator:
Hardware Token
Duo Mobile app Passcode Generator:

Resolution

If you use passcodes generated by a hardware token or Duo Mobile, please switch to one of the following authentication methods. 

Method 1 - Verified Duo Push

Verified Duo Push is the method used by most of the OSU community. The Duo login request will display a one-time verification code to enter into Duo Mobile. This method required an Internet or cellular connection. 

Verification Code displayed     Verification Code Entry in Duo Mobile App

Method 2 - Physical Security Key 

A physical security key is a hardware device that connects to your computer. Physical security keys do not require Internet connectivity to authenticate. Physical security keys are highly recommended if you will be without a Internet connectivity. 

Method 3 - Duo Temporary Code

A temporary Duo Code, also known as a Duo Bypass code, can be generated from a secure site and used unlimited times within a 24-hour period. An Internet connection is required to generate the code. You can use the code to authenticate without an Internet connection.

Temporary codes for exam proctoring will continue to be available.

TemporaryCode

Assistance

For assistance, contact the Service Desk.

See all Duo articles

Details

Details

Article ID: 161365
Created
Tue 4/9/24 12:01 PM
Modified
Tue 4/16/24 3:05 PM