Users logging into any University of Michigan website Tuesday were greeted with a revamped pop-up screen for two-factor authentication as the University transitioned to the Duo Universal Prompt, a move mandated by Cisco Security. The Duo Universal Prompt, introduced by Cisco Duo, brings several changes to the authentication experience.
Cisco Duo, a two-step verification system provider, was founded in 2010 by U-M alumni Dug Song and Jon Oberheide. Cisco Systems, Inc. acquired Duo in a $2.35 billion deal in 2018.
Ravi Pendse, the University’s vice president for information technology and chief information officer, wrote in an email to The Michigan Daily that the University is committed to ensuring online safety and security.
“The University of Michigan was an early higher education adopter of multi-factor and two-factor authentication and had this capability for years, before moving to Duo in 2016,” Pendse wrote. “Now used by banks, social media companies, shopping sites, and many more organizations, multi-factor and two-factor authentication have become a standard, best practice security tool.”
With the new update, the system remembers the user’s last-used authentication method, streamlining the login process and eliminating the need for users to manually select their preferred option. Text messages sent during authentication now include only one passcode, and the URL of the web page displaying the Duo prompt has shifted from weblogin.umich.edu to duosecurity.com.
Public Policy senior Ayden Makar said he believes the Duo update is not enough to ensure data privacy for the U-M community, citing the August 2023 data incident.
“The Duo screen before looked a little clunky; this appears to be more modern,” Makar said. “I understand and appreciate the use of two-factor authentication, but it’s not a foolproof system. As we saw at the start of the fall semester, even with Duo, unauthorized parties were still able to access the U-M system. I think it’s a useful security tool overall but it’s limited to login use, which is just one aspect of security.”
Cisco Security declined to comment on the U-M updates to two-factor authentication.
In an email to The Daily, Sol Bermann, U-M executive director of information assurance and chief information security officer, wrote that the transition to the Duo Universal Prompt also supports a broader range of languages and hardware security keys, aligning with the University’s commitment to enhancing security and user experience.
“These enhancements align with ITS’ mission to provide innovative, reliable, secure user-centric technology services and support for the U-M community,” Bermann wrote.
The update comes as part of a global initiative by Duo to enhance security measures, with a total discontinuation of their traditional prompt starting March 30, 2024. Other educational institutions have undergone this same transition over the past few months, including the University of Wisconsin–Madison, Cornell University and James Madison University, as the deadline approaches.
Bermann also wrote that this update will not exhibit any change in data security at the University in his email.
“There is no change to the security that Duo provides,” Bermann wrote. “As is the case with any application, user interfaces and experiences are updated over time. The change to Universal Prompt provides a simplified and accessible Duo login experience featuring a redesigned visual interface.”
Daily Staff Reporter Emma Spring can be reached at sprinemm@umich.edu.