Duo, Cornell’s vendor for providing Two-Step Login, has introduced a feature called Muted Push, designed to help prevent “mobile push harassment” attacks.

What Is Mobile Push Harassment?

Mobile push harassment is a form of online abuse that happens when a malicious user triggers repeated Duo Mobile notification and authentication requests, in hopes that the user will approve the request simply to get rid of it. Doing this would be a serious mistake!

What to Do If You Get a Fraudulent Authentication Notification

When users approve Duo authentication requests that they are not expecting, they are almost certainly giving a malicious user access to their account.

If a user receives an authentication notification or request that they did not initiate by logging in to a Cornell service, they should deny the authentication in the Duo Mobile app and also mark it as suspicious. For details on how to do that, visit When to Deny a Two-Step Login Request.

In addition, whenever a user receives and reports a suspicious authentication attempt, it could indicate a compromised password, so they should change their Cornell NetID password as soon as possible at Manage Your NetID.

How Muted Push Will Protect Users

Now, with Duo’s new Muted Push feature, when a user marks an authentication request as fraudulent, Duo will temporarily mute push notifications for 20 minutes, eliminating harassment from repeated scam notifications.

During the 20-minute mute period, users can still approve legit authentication requests by opening the Duo Mobile app directly and approving. They just won't get device notifications from Duo during that period.