IU students not registered with Duo, a two-step login service being implemented by the University, will be unable to access most of the University’s online systems after Nov. 2.
Duo is a second layer of security for users and their University accounts. IU deemed the program necessary after a phishing incident in 2016 compromised more than 800 IU accounts.
The service requires students to register a device, preferably a cell phone, that is used to prove a valid log-in attempt.
Users signing in with Duo will have the option for Duo to send their device a call, a passcode or a push notification. The only direct cost for students is the cost of SMS messages and phone calls.
Without Duo and their registered device, students will be locked out of many websites and accounts they need to function as a student, such as student email and Canvas pages.
"I will be the first to admit that Duo does change our balance of protection and convenience," wrote Daniel Calarco, chief of staff for the Office of the Vice President for Information Technology and CIO of IU, in an email. "However, given the escalating threats and given the stakes, I think many would agree it's worth it."
Calarco is leading IU’s Duo efforts, which began in February 2017 when Duo was rolled out to faculty and staff.
In a formal blog post titled “Two-Step Logins: A Few Taps Can Save You a Lifetime of Headaches,” Calarco acknowledged the tedium of cyber safety.
He also wrote that the move to Duo came after 12,000 people at IU received phishing or fraudulent messages in 2016. More than 800 people willingly turned over their usernames and passwords to cyber criminals. The criminals didn’t breach or hack any IU systems to get that information.
It was just given to them.
“It was the digital equivalent of a car thief putting on a red blazer, standing outside a fancy restaurant, and driving off with the cars when patrons handed over their keys,” Calarco wrote in the blog post.
Calarco wrote in an email that students may not be aware of some of the cyber threats they face every day. Students could have their tuition or financial aid stolen. Loans could be taken out in a student’s name and the student would be responsible for paying those stolen funds back.
“Fortunately, we at IU have never seen unauthorized access to systems behind two-step logins," Calarco wrote in the email.
This is why IU is implementing Duo. Cathy O’Bryan, associate vice president of University Information Technology Services, said about 78 percent of enrolled students have already registered with Duo.
Students can also request a free, pager-like device called a hardware token if they cannot or do not want to use their personal device.
However, Calarco said he highly recommends students with smart devices to use the Duo app and its “push” feature, since it is free and easy to use.
Students who still have not registered a device can do so here. Students can also use this link to remove or change a registered device.
