Technology Services has noticed a small, but increasing, number of attempts to subvert Duo two-factor authentication through the phone/voice call method. This industry-wide uptick in malicious activity relies on the phone prompt being too vague to raise user suspicion, resulting in outside parties inadvertently gaining access.
It is important to stress that if an unexpected Duo prompt is received—by voice call, text, or the Duo app—your password has already been compromised. Do not approve any Duo prompts that you did not personally trigger. If you receive one or more unsolicited Duo prompts, you should immediately change your Gustavus passphrase and notify the Technology Services Helpline.
As a result of this alarming trend, Gustavus will no longer allow users to select the phone/voice option for Duo authentication. We encourage you to download the Duo app on your phone, tablet, or smartwatch. This option provides you with more information about the identity/location of the party attempting to sign in to your account, making it more difficult to accidentally approve such requests. If you do not have a smart device, the Text/SMS method will remain viable. If you are a current student or employee and you do not own a mobile phone, we have additional options available at the Technology Services Helpline. Instructions for changing your Duo authentication method can be found on the Technology Services wiki: https://gustavus.edu/gts/Duo_Two_Factor_Authentication#Modifying_Settings_and_Devices
Let us help
If you have questions about setting up the Duo Mobile app, or you need help with an alternative option, we encourage you to stop by the Technology Services Helpline (main floor of Olin Hall) for one of our Duo & Donuts events. We’ll provide the donuts and help you with any authentication needs.
- Thursday, Oct. 6, 3:00-4:45 p.m.
- Tuesday, Oct. 11, 8:30-9:30 a.m.
FAQs
What does it mean when I receive a Duo prompt that I didn’t initiate?
This most likely means that someone, other than yourself, has your Gustavus username/passphrase and is actively attempting to access your account. You should immediately change your Gustavus passphrase (https://gustavus.edu/account/changePassphrase) and notify the Technology Services Helpline (helpline@gustavus.edu or 507-933-6111).
What happens if I leave my phone at home?
We strongly recommend that you keep a list of one-time bypass codes in your office for such occasions. You may request a list of bypass codes from the Technology Services Helpline (helpline@gustavus.edu or 507-933-6111). You can enter one of your unused codes from the “Choose an authentication method” window by selecting the “Enter a Passcode” option.
What happens if I get a new phone?
If you can still authenticate (via a one-time bypass code, for example), you can visit the Gustavus Duo Management portal (https://gustavus.edu/account/manageTwoFactor) and follow the prompts to reconfigure Duo for your new device.
If you authenticate through text/SMS messages and your phone number hasn’t changed, no additional action is required.
If you can’t authenticate, contact the Technology Services Helpline (507-933-6111) and request assistance.
More information can be found in the GTS Wiki: https://gustavus.edu/gts/Duo_TF_-_Device_Replacement_for_End_Users
What if I don’t have a mobile phone?
Current students and employees who do not have access to a mobile phone may request bypass codes from Technology Services. In certain cases, a Duo fob may be a viable option, however, they are easily misplaced and are prone to unreliability when infrequently used.
What happens when I travel internationally?
If you are traveling abroad and your phone’s text/SMS and Internet access is limited, you can use the Duo Mobile app to retrieve a passcode that will allow you to bypass your normal authentication methods.
- Open the Duo app on your device.
- Press the “down” arrow located to the right of the Gustavus heading.
- A passcode will appear. Use this number to bypass your usual authentication methods.
Does the Duo app work offline?
Yes. The Duo Mobile app can generate passcodes without the need for service or an Internet connection.
- Open the Duo app on your device.
- Press the “down” arrow located to the right of the Gustavus heading.
- A passcode will appear. Use this number to bypass your usual authentication methods.