Skip to main content

Cornell University

Duo Two-Step Login Keeps Your Account Protected

This article applies to: National Cybersecurity Awareness Month

If you’ve ever logged onto an account online and had to enter a verification code (sent to your phone or your email), then you’ve already experienced the benefits of multifactor authentication. In this digital world, bad actors will try to hack into personal accounts by trial and error. If they have one piece of the puzzle, such as your username, then they only need to guess your password.

As difficult as it can be to remember your password, it’s shockingly simple for a criminal to use automation and programmed scripts to crack it.

Software used by hackers can make several hundred guesses in just one second. A password that’s simple and uses a sequence of common numbers, and doesn’t use symbols, or upper- and lowercase letters, might be hacked in minutes by these programs. As early as 2012, a researcher set up a computer cluster to make up to 350 billion password guesses per second (source: Crowdstrike).

Once a hacker gets in your personal information and identity are up for grabs. If they’ve managed to get into a Cornell site or service, then the university’s confidential data and other community members are also at risk.

Multifactor authentication adds an extra layer of protection.

At Cornell University, most of the sites and services that are accessed with your NetID already require you to use multifactor authentication with Duo. Although there are many Reasons You Want Two-Step Login, a major benefit of multifactor authentication is that even if someone has your username and password, they still won’t be able to get in to an account protected by multifactor authentication without also having access to the device you use for Duo authentication.

Duo has recently introduced a Muted Push Feature that will further protect accounts. Bad actors will use mobile push harassment, making repeated Duo Mobile authentication requests one after the other. Out of frustration or fatigue and a desire to make the notifications stop, a user will then approve one of the requests and in doing so grant the bad actor access to their account.

The muted push feature stops this type of online harassment before it can get that far. When a user receives an authentication request they didn’t initiate, and marks it as fraudulent, Duo will temporarily mute further push notifications for the next 20 minutes. The user can still authenticate during that time by opening the Duo Mobile app to approve requests directly, while the bad actor’s attempts to wear you down so that you’ll approve a fraudulent request are safely ignored.

Comments?

To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.