DUO Phone Call disabled starting July 31, 2019
What is happening?
On July 31st, 2019, VCU is disabling the phone call option in Duo as a method of authentication.
How does this affect me?
After July 31st, you will only see two options for two-factor authentication (Push and SMS). If you currently use the Phone Call option, you will no longer be able to use that method of authentication.
Why is VCU doing this?
Due to recent FCC regulation which allows telecoms to block robocalls by default, Duo calls are being blocked by telecoms. We have seen a significant increase in users who attempt to authenticate several times if the call is not connected. This option is unreliable and has led to users being locked out of their accounts. Additionally, VCU pays for each phone call requested regardless of whether the user receives the call. Phone call options are currently 5-times more expensive than the other options. With these concerns in mind, VCU information security has decided the best course of action is to disable the phone call option completely. This will lead to a more reliable service.
What should I do?
If you use the Phone Call option as your primary mean of two-factor authentication, you will need to use another option (SMS, Push, or Token) after July 31, 2019. Since this is a change that will affect a large portion of the VCU community, VCU information security has some resources to help ease this transition.
- Seminars will be hosted by a member of the Information Security Office lasting 20-30 minutes on how to use Duo's other options and why 2 Factor Authentication is important. Seminars are scheduled for:
- 8/13/19 Sanger Hall B1-020 - 8:45 AM - 11:30 AM
- 8/14/19 Cabell Library B41 - 2 PM - 4 PM
- 1-on-1 consultations sessions will be provided by the IT Support Center in the basement of Cabell library in the ITSC office, on how to use other DUO options.
- Phone and email support will also be provided. You can either call IT Support Center at 804-828-2227 or email email@example.com if you have any questions or concerns about this transition.
- Training Videos on how to use the other authentication options (Push, SMS, or Tokens) are found at the bottom of this page.
What are my other options?
You will still be able to use the SMS, Push, or Token option. We have described the different options below:
- SMS - This option will send a text message (SMS) to your cellular phone with a set of 10 codes that you can use to login. You can only use each code once, but you have the ability to request new codes.
- Push - This will send a notification to the cellular phone that has the DUO app installed. You can approve or deny the request through this application. This application can be installed on Apple or Android devices. Please visit this webpage to learn how to download, install, and register the application with your account.
- Hard Token - This is a physical device that contains an LCD screen that will produce a code when you press the button on the device. This device does need not access to the internet.
- Soft Token - After you have the DUO application install on your mobile phone and you have the application associated with your account, you can use the application to produce codes to login. The DUO app can create codes without an internet connection. Please see the video below (How to Use the DUO App as a Soft Token) on how to use the DUO app as a software token. You will need an internet connection if you intend to use the Push option.
How to use SMS option to authenticate with Duo
How to use push option to authenicate with Duo
How to use the Duo App as a Soft token
For users who do not own a smartphone, SMS codes can be sent to your cell phone. For users without a cell phone at all please contact firstname.lastname@example.org or at 804-828-2227 for an alternative solution.
The SMS access (text message) codes can be sent to you when you do have a signal. SMS will provide several codes that will work several days after they have been requested.
The Duo app also has "soft tokens" which can be accessed in the app at any time regardless of cell or internet signal. The soft token will allow you to authenticate.
If this solution does not work for you please contact IT Support Center at 804-828-2227 for an alternative solution.
We understand that your phone is very personal and we respect that. That being said, we highly recommend that you do download and use the Duo app, VCU does not own Duo and cannot see what is on your phone. The Duo app only requests permissions to access the camera to scan QR codes, this permission can be revoked at anytime as it does not effect the service.
If you still do not want to use the Duo app, you can use other 2 factor authentication apps such as Google authentication, LastPass, Norton VIP or any other 2 factor app that you use* or use SMS.
Due to recent FCC regulations, telecoms are blocking robocalls which effects Duo's phone calls. Since Duo phone calls are being blocked, this has caused an uptick in IT support tickets from users unable to receive Duo phone calls. Since the phone call option is unreliable, VCU information security will be disabling the phone call option entirely, which will improve the reliability of the service. This means when you authenticate with Duo, you will be limited to two options (SMS and push). This will be effective 7/31/19.
Unfortunately, we are not able to make any exceptions for this change. Although your carrier may not be blocking robocalls now, it is possible they will start blocking robocalls in the near future. To keep the service reliable, we are disabling the call option.
Using 2 factor helps protect your account and data. It requires someone knowing your password and having access to your phone before they could access your account or data. It can prevent a bad actor from accessing your account or data.
Just as a reminder, if you are constantly having to reauthenticate using 2 factor, consider using the remember me for 60 days option to avoid reauthentication.
No, DUO will still require your phone as another factor to verify your identity. The phone call option is being disabled, but still will require your phone.
DUO is not being turned off, just the phone call option. This means that when you are authenicating with DUO, you will see options for SMS or PUSH. Before you would see SMS, PUSH and Phone Call, this phone call option is being turned off and will not longer show up on the menu.
A soft token is shorthand for software token, this is opposed to a hardware (hard) token. Meaning that software, in this case DUO, is generating the login code. In the hardware token scenario, it is a device, usually a YUBIKEY or other small device, that generates the login code for you.