Skip to main content

Cornell University

IT@Cornell

Latest News

""

Jump to:

On Tuesday, September 23, 2025, Cornell continues the roll-out of changes intended to improve Two-Step Login security. In response to increased threats to Cornell NetID passwords and university services, CIT will be requiring Duo Verified Push for all Duo Mobile app users and removing the Duo Phone Call and Duo SMS Passcode options. 

Looking ahead, on November 4, these changes will also be required for those who are not currently using the Duo Mobile app.

During August, September, and October, groups within the Cornell community will receive email notifications letting them know about the timing of the changes to their accounts. 

Changes Coming to Cornell Two-Step Login (Duo) Service in Fall 2025

To increase security at Cornell, two methods of using Duo to log in are being discontinued:

  • Having Duo call you when you want to log in
    Duo Phone Call, or Callback, is when your login causes Duo to call a telephone number and ask you to confirm your login request.
  • Having Duo send you a text message when you want to log in
    Duo SMS (Text) Passcode is when your login causes Duo to send a text to your messaging app to confirm your login request.

Cornell accounts that do not already require Duo Verified Push when using the Duo Mobile app will have it required.

  • Instead of seeing a green checkmark (or red X) in your Duo Mobile app, you’ll be prompted to enter a three-digit code. When you log in, if it does not already do so, the Duo prompt in your browser will provide a three-digit code that you will enter in the Duo Mobile app on your phone to verify. This is called Duo Verified Push, and it is the most secure way to use Duo at Cornell.

Change Timeline Summarized by Your Role at Cornell

Cornell Employees (non-academic)

On Tuesday, September 3, Employees who have the Duo Mobile app will have the Duo Phone Call and Duo SMS Passcode methods retired. If you use Duo Mobile when you log in, this change will not affect you.

Students

On Tuesday, September 23, students who have the Duo Mobile app will have the Duo Phone Call and Duo SMS Passcode methods retired. If you use Duo Mobile when you log in, instead of seeing the green checkmark in your Duo app, you'll be prompted for a three-digit code provided by the web browser. This is called Duo Verified Push.

Faculty and Academic Staff

On Tuesday, September 23, Faculty and Academic Staff who have the Duo Mobile app will have the Duo Phone Call and Duo SMS Passcode methods retired. If you use Duo Mobile when you log in, this change will not affect you.

Emeritus Faculty and Retirees

On Tuesday, September 23, emeriti, retired faculty, and other retirees who have the Duo Mobile app will have the Duo Phone Call and Duo SMS Passcode methods retired. If you use Duo Mobile when you log in, instead of seeing the green checkmark in your Duo app, you'll be prompted for a three-digit code provided by the web browser. This is called Duo Verified Push.

All Cornell Accounts Without the Duo Mobile App

On Tuesday, November 4, all who do NOT have the Duo Mobile app installed will have the Duo Phone Call and Duo SMS Passcode methods retired and Duo Verified Push will be enabled if it is not already. 

If you fall into this group, you should make plans now to prepare for the coming changes so you do not find yourself unable to log in to Cornell services on November 4.

  • If you have a smartphone, consider installing the Duo Mobile app before 11/2. The Get Started Quick Guide will help you set it up. When you verify using the Duo app, it will use Duo Verified Push, where the prompt in your web browser includes a three-digit code that you enter into the Duo app before you tap Verify.
  • No smartphone? You can use a USB security key or hardware token to log in. If you use CU VPN, choose the hardware token. You will need to have one of these devices by the time all changes have been completed on November 4.

Consider Secure Connect if you are Cornell faculty or staff

Faculty and staff can add even more security by switching to a passkey with Secure ConnectWith this method, you won’t need to submit your NetID and password, or use Duo, to log in to most Cornell services. Take five minutes and set yourself up with one-touch login. 

If you do enroll in Secure Connect, keep in mind that the Duo Verified Push, USB security key, or hardware token methods must still be available as a backup, even for people who use Secure Connect regularly.

Why are these changes necessary?

The threat of cyber crimes against Cornell accounts and systems continues to intensify. Many existing authentication methods have become vulnerable to attacks by criminals. For example, in an attempt to steal employee paychecks, criminals successfully used artificial intelligence to impersonate legitimate verification requests through Duo phone calls and text messages.

Always bear in mind that, despite the improved security of Duo Verified Push, cyber criminals may still try to impersonate Cornell by texting or calling you for the code. Never provide your authentication code in a text or call, and never verify a request that you did not initiate yourself while logging in. 

Whenever you suspect fraud, change your NetID password immediately and report the incident to the IT Security Office.

Weill Cornell Medicine and many other universities have already made these changes.

Questions?

Need help setting up or using Two-Step Login (Duo) or Secure Connect? Contact the IT Service Desk.

Other questions or concerns? Please contact the IT Security Office at itsecurity@cornell.edu.

Tags

Two-Step Login
secure connect
duo verified push
sms
phone call

Comments?

To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.