To Duo or Not To Duo: There IS an Alternative to Using Your Personal Device for Two Factor Authentication

I recently received an email notifying me that as of this summer, ITS is discontinuing the option for users to use phone calls or text messaging to obtain passcodes for two-factor authentication. According to the ITS FAQs on the change,

Text and/or phone authentication has proven to be the least secure methods available and is a commonly used attack vector by threat actors. Since the goal of using Duo two-factor authentication is to keep University services secure, we also want to be using the most secure methods of authentication. Most importantly, to meet future compliance and regulatory requirements, the university must support phishing-resistant two-factor methods.

However, in the emails I have received about the transition, ITS also referenced the cost of offering the phone call and text message options.

These emails and the ITS FAQs encourage users to download the Duo app on their personal smartphones in order to continue to log in to university systems. In fact, according to the emails, this appears to be the only option – using your personal device to access systems that are required to do your job.

Being required to use my personal device for work purposes does not sit well with me, though. I actually used to use the Duo app on my phone, but the recent controversy over EM-16, and in particular the provisions regarding personal device usage, have made me think twice about if and how I should be using my personal device for work. So instead of accepting this change at face value, I decided to dig into the details and figure out (1) whether or not I should actually care about this, and (2) if I do want to avoid using my personal device in this way, what other options do I have? Since I know there are a lot of other folks out there who may have the same questions and concerns, in this post I am sharing what I learned with all of you.

An image generated by DALL-E showing a Yubikey-type device blasting through the word DUO.

Should you care about this?

In digging into the implications of being required to use my personal device for work, there were two main concerns that I had: the effect of having my phone constantly present so that I could use it to authenticate when needed and what the university policy implications would be of using my personal device in this way.

Distraction

In reading up on the research on smartphones and distraction, I do find reason for concern. There is a vast body of research that demonstrates that mobile devices, such as the smartphones required for the Duo Mobile app, are distracting. What is perhaps most interesting, however, is that some of that research shows that our phones are distracting us by their presence and availability, even when we are not using them. A recent study by Skowronek et al. (2023), for example, found that participants who had a smartphone turned off, face-down in the same room as them when completing cognitive tests showed lower attention, performance, and working speed compared to those who left their phones in another room.

As people whose work involves a constant stream of cognitively demanding tasks, we should be quite concerned about the evidence that having our phones with us at all times, even if we aren’t consciously paying attention to them, can be hindering our ability to pay attention to and engage with our work. Even more concerning is the effect that this constant distraction can have on our mental health.

I am not here to tell anyone what they should or should not do with their phones. But I do think the research on attention points to a problem with a university functionally requiring faculty and staff to have their phones with them at all times.

Policy Implications

As I mentioned above, the 2022 ratification of Executive Memorandum 16 (EM-16), the Policy for Responsible Use of University Computers and Information Systems, has caused me to think more critically about if and how I should be using my personal devices for work purposes. According to EM-16, “University employees… who use personally owned devices for University-related business are responsible for maintaining device security, data return and deletion, incident reporting, response to public records requests and discovery requests, and must produce their devices for inspection when required as indicated in ITS-19: Security of Personally Owned Devices” (p. 11). ITS-19 specifically lists “Multi-factor Authentication (Duo)” as one of the “publicly accessible University Information Systems that contain medium risk data and may be accessed using personal devices” (p. 2). However, it also states that “medium risk data may not be stored on a personal device that does not meet the appropriate minimum security requirements as defined in the Configuration Management Standard and associated Procedures” (p. 2).

Based on all of this, it seems that accessing Duo from one’s personal device would require employees to ensure that their device meets these “Configuration Management Standards.” However, ITS-06, the Configuration Management Standard, is, at least to me, incomprehensible. I attempted to read through the document to determine what standards my personal device would have to meet in order to appropriately access Duo from that device, but I could not make sense of it on my own. I did find a document on “Baseline Security” on the UNL ITS Services website that does list security requirements for low, medium, and high risk configurations on Windows and macOS systems, but no instructions are provided for securing the mobile operating systems required for two-factor authentication. Reading through the configurations for medium risk data, I would be surprised if many people’s phones actually meet these requirements or if it is possible for most mobile devices to comply at all.

So what does this all mean? Ultimately it is hard to say. I am not an expert in IT security and policy, but neither are most of the employees at the University. Without instructions that clearly describe individual responsibilities for securing private devices, and easily located and installed software, it remains unclear how employees should comply with the requirements and what the penalty for non-compliance may be.

What can you do?

If you are using the Duo mobile app and are perfectly happy doing so, go for it. I am not going to tell you to stop. If you do not want to download the app, or if my arguments around distraction and policy compliance have made you hesitant to continue to use it, you do have another option! You can use a “Hardware (FIDO) token” called a Yubikey. This is a small device that you can plug into your computer to authenticate instead of using the app on your phone.

An image generated by DALL-E showing the difference between USB-A and USB-C.

This option is not mentioned at all in the email communications I have received about the transition, but it is briefly mentioned in the FAQs and, if you know what you are looking for, on the NU Two-Factor Authentication webpage. The FAQs make it sound like you need to purchase your own Yubikey, but there is also an online form you can fill out to request a Yubikey from ITS. On the form you have to indicate if you want USB-A or USB-C; you can find out the difference between the two here if, like me, you can never remember which is which; or, check out the picture I have included here in the blog. You can choose to either have ITS mail you the Yubikey or you can pick it up from the Help Desk. I had them mail it to my campus office and it arrived fairly quickly.

Once you have your Yubikey, you go to the page on how to set up the Yubikey USB Authenticator with a pin. At the bottom of that page there are further links on how to enroll your Yubikey in Duo to use for two-factor authentication on either a macOS or Widows device. Please note that when I tried to follow the instructions, the link to TrueYou was incorrect and would take you to an “oops!” page. If this happens, just go to https://trueyou.nebraska.edu/ instead of following the link on the page. I also needed to use my phone to scan a QR code for verification during the process, which was not entirely clear from the instructions.

I will say that it was not the easiest thing in the world to figure out, but I was able to muddle through the set-up in about 10 minutes and have verified that I can in fact use my new Yubikey to authenticate when trying to log in to TrueYou.

tl;dr

The university is removing the option for two-factor authentication via text message or phone call. You may not want to use the Duo app on your personal device to authenticate due to concerns about distraction and/or unclear policy implications for using your personal device in this way. If that is the case, you can request a Yubikey from ITS instead.