Scheduled Service Change - Changes to Two-Step Login (Duo) - 9/3 staff

<div>On Wednesday, September 3, 2025, CIT will apply changes to the Two-Step Login (Duo) service for <strong>Ithaca campus non-academic employees who have the Duo Mobile app installed</strong> on a device. A targeted email notification will be sent Tuesday, August 25.</div><ul><li>Remove the <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fit.cor... Phone Call</strong></a> or Callback method</li><li>Remove the <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fit.cor... SMS (Text) Passcode</strong></a> method</li></ul><div><br></div><div>This population is already required to use Duo Verified Push when authenticating with the Duo Mobile app. Those currently using the Duo Mobile app will not be affected by the change.<br>&nbsp;<br><strong>Look ahead:</strong> Ithaca campus non-academic employees who do NOT have the Duo Mobile app installed will have the Duo Phone Call and SMS Passcode methods removed on Tuesday, November 4, 2025, and will receive a separate targeted email notification in the coming days.<br> A spreadsheet of these individuals is <a href="https://cornellprod.sharepoint.com/:x:/r/sites/CornellITSGs/Shared%20Doc... for reference</a> in the Cornell ITSG Teams files.<br> <br> These changes are being made on an accelerated timeline requested by senior leadership in response to repeated threats to Cornell accounts and services. The Duo Phone Call and SMS Passcode methods in particular are no longer considered secure against current phishing and impersonation strategies by criminals.<br> <br> <strong>Communication plan:</strong> Direct email notifications will be sent to affected individuals. ITSG Directors can expect additional supporting communications from ITSO in the coming weeks as the project progresses. To read the initial public IT News article about the project, visit <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fit.cor... Two-Step Login (Duo) Changes, Starting August 2025</a>.<br> <br> In these notifications, faculty and staff will also be strongly encouraged to enroll in Secure Connect.<br> <br> <strong>Guidance being given to community members who do NOT have the Duo Mobile app installed:</strong></div><ul><li>If they have a smartphone: Install the Duo Mobile app by November 2 as the most secure option.</li><li>If they don’t have a smartphone or don’t want to install Duo Mobile: Acquire a <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fit.cor... security key</a> or <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fit.cor... token</a> by November 2.</li></ul><div><br></div><div><strong>IT Service Notes</strong><br> <br> We are asking the IT community to advise individuals to be careful never to accept unprompted Duo requests.<br> <br> <strong>CU VPN (Virtual Private Network) and SSH (Secure Shell): </strong>Duo Push or the hardware token passcode will be the only ways to log in to CU VPN and SSH. Other methods will result in authentication failure. Technical limitations have prevented CIT from implementing Verified Push for CU VPN at the present time, so those signing in to CU VPN and SSH may see the older Duo Push prompt.<br>&nbsp;<br><strong>Secure Connect: </strong>All employees are encouraged to switch to Secure Connect. However, either the Duo Verified Push, USB security key, or hardware token methods must still be available as a backup, even for people who use Secure Connect regularly. Non-employees are not eligible to use Secure Connect.<br>&nbsp;<br><strong>Microsoft 365 Azure:</strong> Logins may occasionally require Duo, even when the individual has chosen to have their login remembered.)<br> <br> <strong>LastPass: </strong>IT staff are aware that some LastPass users may not see the Verified Push prompt when logging in with the extension or plugin on a mobile device. This is being investigated.<br>&nbsp;<br><strong>Questions and concerns</strong></div><ul><li>Guidance on setting up Duo Mobile or using Duo features: Contact the <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fit.cor... Service Desk</a></li><li>Other questions or concerns: Contact the IT Security Office at <a href="mailto:itsecurity@cornell.edu">itsecurity@cornell.edu</a>&nbsp;</li></ul>