In Week 2 of Cybersecurity Awareness Month, the Department of Information Technology is sharing best practices for using Duo Two-Factor Authentication (2FA) to enhance your account security and protect against unauthorized access. As
cyber threats become more prevalent and sophisticated, passwords alone are no longer
sufficient to protect your accounts. Adding 2FA provides an extra layer of security
by requiring a second form of verification, ensuring that even if your password is
compromised, your account remains protected.
How Duo Works – And What to Watch Out For
All Seton Hall users are required to enroll in 2FA. When you log into your account
with your Seton Hall credentials, Duo provides several options for verifying your
identity. You can choose to receive a push notification on your mobile device, a text
message, a phone call, or use a passcode generated by the Duo app. Always review the
notification details to ensure you are approving your own login attempt. If you’re
unsure or did not initiate the request, it’s safest to deny the notification.
Hackers use different tactics to trick you into bypassing 2FA. Here are some scams
to watch out for:
Phishing Scams: Duo will never send emails warning that “your MFA is about to expire” or ask you
to scan QR codes. Always log in through PirateNet directly and report suspicious emails
to IT Security by clicking the Report Phishing button on your Outlook toolbar.
Phone Scams: Seton Hall’s IT staff will never call you asking for your Duo code. If someone does,
hang up immediately and change your password.
MFA Fatigue: Hackers may send multiple Duo notifications to your phone in quick succession, hoping
you’ll approve one by mistake. If you receive repeated requests that you didn’t initiate,
deny them – this is a red flag.
Best Practices for Duo 2FA
Authenticate Only When Prompted by Duo: Duo will prompt you to authenticate only when you log in or need to re-authenticate.
If you haven’t received an authentication prompt recently, review your Duo authentication preferences or contact the Technology Service Desk via a service desk ticket to ensure your Duo account is properly configured.
Opt for the Duo Push Authentication Method: Duo Push offers significant advantages over phone calls or SMS for multi-factor
authentication. It provides enhanced security, as it’s less susceptible to interception
and social engineering attacks. With Duo Push, logging in is more convenient; you
can approve access with a single tap on your mobile device. Additionally, the Duo
Mobile app remains reliable even in low signal areas, ensuring you can always authenticate
securely no matter where you are.
Verify Every Duo Push Notification: Always review details in a Duo notification, such as the location and time of the
login attempt. Approve only if they match your recent activity. If anything seems
unfamiliar, deny the request to protect your account. When a notification is denied,
IT Security is automatically alerted and can initiate an investigation to ensure your
account remains secure.
If you experience suspicious Duo-related requests, contact the Department of Information
Technology by submitting a service desk ticket on the Technology Service Desk portal. This will allow IT Security to investigate and protect your account.
Categories:
Science and Technology