Beginning in December, Cornell will discontinue a Two-Step Login (Duo) authentication method—the Duo Mobile App passcode feature. As you may be aware, Duo Mobile App passcodes are number codes generated within the mobile app and then entered into the Duo prompt to authenticate your Cornell sign-in.

Why Is Cornell Discontinuing Duo Mobile App Passcodes?

Evidence has shown that the continued use of Duo Mobile App passcodes poses a security risk to Cornell systems and users' personal information. Because these Duo Mobile passcodes do not expire in a sufficiently timely manner, they have allowed malicious users to successfully craft sophisticated phishing attacks to steal passcodes before they expire, thereby defeating the Two-Step Login features that protect Cornell services and data.

If you regularly use Duo Mobile App passcodes, please plan to use the available alternatives, such as Duo push, Duo phone callback, Duo hardware token, or USB security key, as described below.

When Will This Change Happen?

Duo Mobile App passcodes will be discontinued in two phases to minimize disruption during the academic year and to ensure support for those affected prior to and after the winter break:

• Tuesday, December 6, 2022 All non-students (including faculty, staff, alumni, and retirees)
• Tuesday, January 3, 2023 All students

What Are the Alternatives to Duo Mobile App Passcodes?

We recommend the following alternative Duo authentication methods:

• Duo push (confirm the sign-in using the Duo mobile app)
• Duo “call me” (confirm the sign-in via phone callback)
• USB security key (confirm the sign-in by pressing a button on a device) 

Additionally, these alternatives will continue to function and use the “passcode” field when prompted:

• Duo hardware token (confirm with a passcode generated by a device)
• Duo SMS passcode (confirm with a passcode sent by text message)

To learn more about alternatives to Duo Mobile passcodes, visit Log In Using Two-Step Login.

CU VPN Users: When signing into the Cisco AnyConnect client, type: “push”, “sms”, or “phone” (without the quotes) to trigger one of those authentication methods as an alternative to Duo mobile passcodes.

If you believe that you will experience a significant negative impact from this change or have questions or concerns, please contact itsecurity@cornell.edu.