Scheduled Service Change - Upcoming Changes to Two-Step Login (Duo)

<div>On Tuesday, August 19, 2025, CIT will make the following changes to the Two-Step Login (Duo) service for Cornell (Ithaca) Affiliate, Exception (Sponsored), Temporary, and Former Postgrad accounts that have the Duo Mobile app in use. &nbsp;<br><br></div><ul><li>Require <a href="https://it.cornell.edu/twostep/verified-push"><strong>Duo Verified Push</strong></a> (for any accounts not already required)&nbsp;</li><li>Remove the <a href="https://it.cornell.edu/twostep/log-using-phone-callback-two-step-login">... Phone Call</strong></a> or Callback method &nbsp;</li><li>Remove the <a href="https://it.cornell.edu/twostep/log-passcode-two-step-login#toc-get-an-sm... SMS (Text) Passcode</strong></a> method&nbsp;</li><li><br></li></ul><div>Those who regularly use only the Duo Mobile app for logins are not expected to experience hardship with the change. We completed this change to CIT and ITSG Director accounts this week with no complaints.&nbsp;<br><br></div><div>Duo Verified Push, hardware tokens, and USB security Key (“YubiKey”) methods remain available. With Verified Push, the familiar browser push prompt includes a three-digit code that must be entered into the Duo Mobile app before pressing Verify.&nbsp;<br><br></div><div>These changes are being made on an accelerated timeline in response to repeated threats to Cornell accounts and services. The Duo Phone Call and SMS Passcode methods in particular are no longer considered secure against current phishing and impersonation strategies by criminals.&nbsp;<br><br></div><div>For accounts that do not have the Duo Mobile app installed, the Phone Call and SMS Passcode methods will be removed on November 2, 2025. After all change milestones have been completed in November, to log in, all Cornell community members will need to use a smartphone with the Duo Mobile app (and <a href="https://it.cornell.edu/twostep/verified-push">Duo Verified Push</a>) or be ready with a <a href="https://it.cornell.edu/twostep/log-using-usb-security-key-two-step-login... security key</a> or <a href="https://it.cornell.edu/twostep/hardware-tokens-two-step-login">hardware token</a>.&nbsp;<br><br></div><div><strong>Support Considerations</strong>&nbsp;<br><br></div><div>For CU VPN and SSH, Duo Push or the hardware token passcode will be the only ways to log in after this change. Other methods will result in an authentication failure. Also be aware that technical limitations have prevented CIT from implementing Verified Push for CU VPN at the present time, so those signing in to CU VPN and SSH may see the older Duo Push prompt. We are asking the community to be careful about accepting unprompted Duo requests.&nbsp;<br><br></div><div>IT staff are also aware that some LastPass users may not see the Verified Push prompt when logging in with the extension or plugin on a mobile device. This is being investigated.&nbsp;<br><br></div><div>Cornell faculty and staff are encouraged to transition to <a href="https://it.cornell.edu/secure-connect">Secure Connect</a> for login verification. Secure connect is not available to accounts for other types of Cornell accounts. Those who move to Secure Connect must still keep the ability to use Duo Verified push, a hardware token, or a USB security key as a backup. (Microsoft 365 Azure logins may occasionally require Duo, even when the individual has chosen to have their login remembered.)&nbsp;<br><br></div><div><strong>Project Outreach</strong>&nbsp;<br><br></div><div>In all cases, direct email notifications will be sent to affected Cornell accounts. ITSG Directors can expect additional supporting communications from ITSO in the coming weeks as the project progresses. To read the initial public IT News article about the project, visit <a href="https://it.cornell.edu/news/important-two-step-login-duo-changes-startin... Two-Step Login (Duo) Changes, Starting August 2025</a>.&nbsp;<br><br></div><div>The current schedule for this change for other Cornell accounts which have the Duo Mobile app installed in the coming weeks includes:&nbsp;<br><br></div><ul><li>Tue 8/12: CIT and ITSG Directors —COMPLETED&nbsp;</li><li>Tue 8/19: Exception, Affiliates, Temporary, and Former Postdocs&nbsp;</li><li>Wed 9/3: Employees (non-faculty)&nbsp;</li><li>Tue 9/23: Students, Faculty, Academic Staff, Emeritus, Retired Faculty, and Retirees&nbsp;</li><li>Thu 11/2: Alumni, Trustees&nbsp;</li><li>Thu 11/2: All accounts that have not installed the Duo Mobile app will lose the Duo Phone Call and SMS Passcode methods&nbsp;</li><li><br></li></ul><div><strong>Questions and concerns</strong>&nbsp;<br><br></div><div>Contact the IT Security Office at <a href="mailto:itsecurity@cornell.edu">itsecurity@cornell.edu</a>.&nbsp;</div>