Cornell has implemented Duo’s Verified Push for university faculty and employees.

Verified Push was piloted by CIT staff and IT Service Group directors. It has also been in use at Weill Cornell Medicine and other major institutions with no adverse impact, becoming the new minimum standard for security.

What Should I Expect?

For faculty, staff, and student employees, whenever you use Duo Push to log into a Cornell web application: 

• The Duo prompt in your browser now includes a three-digit code.
• Your Duo Mobile app will include a field to enter the provided code. Simply enter the code, then touch Verify to complete the verification. 
• Never enter digits that were not provided by the Duo Prompt during a website login that you initiated.
• Verified Push does not increase how often you need to use Duo Mobile to verify your logins – it just adds the requirement to enter the three-digit code. 

This change will not affect logins to CUVPN, SSH, RDP or other non-web applications.

Why Is Cornell Making This Change – and Why Now?

Cornell recently intercepted a wave of attacks on highly sensitive systems. This put a spotlight on the very real threat of Duo "push fatigue" and "push harassment" attacks. Adding Verified Push to Two-Step Login is an effective defense to these threats.

• You are unlikely to notice this change if you are using Secure Connect to log into your device and Cornell web services.
• You will notice this change when using devices or browsers that do not have Secure Connect enabled, and when you log in to services such as Outlook that use Microsoft Azure authentication.
• Contact the IT Service Desk if you encounter issues with this change.