Duo Mobile changes authentication process

USC employees must now use Duo Verified Push to access their University accounts.

By MAX RUBENSTEIN
a phone using duo mobile is unlocking a computer
Duo Mobile was first implemented by USC in January 2022 in an attempt to add an extra protection feature to the USC systems which require the online NetID sign-in process. (Wesley Chen / Daily Trojan)

The Duo Security authentication process has adopted new features that change the way the USC community can log into their University accounts. According to the Digital Campus, USC’s website for technological advances and resources, the updates will affect students differently than faculty, staff and student workers.

For students, much of the software is staying exactly the same. They will still be able to “Duo Push on the app, call and text via carrier, and [use] security keys via browser.” The main change is a feature called Duo Universal Prompt, meant to streamline the process.


Daily headlines, sent straight to your inbox.

Subscribe to our newsletter to keep up with the latest at and around USC.

When a user logs in for the first time, Duo will select the most secure login method, although students may opt to view other options. According to the announcement, the most secure methods are “platform authenticators … (like Touch ID) or roaming authenticators … (like [a] security key),” followed by push notifications. For future logins, users will be shown whichever method they chose the previous time.

For staff, faculty and student workers, the process will be slightly different. According to a separate webpage, their login experience is adopting a feature called Duo Verified Push. Instead of being able to accept a push notification, Verified Push will display a three-digit code that they must enter on their mobile device to login rather than just pressing “approve.” Although employees currently have the option to set a continual password through Duo Mobile App Passcodes, this feature will no longer be available.

According to a video hyperlinked on the announcement page from ITS News, “Push is commonly targeted by threat actors of USC, and this additional layer of security will protect both the university and [user] information, helping prevent push harassment and accidental push approvals.”

Some non-students were confused by the change and frustrated by the extra steps in the login process.

“If someone can do a verified push [by unlocking your phone], then adding an SMS feature on top of this, I don’t see how it provides additional security,”said Abhishek Balakrishna, an assistant professor of mathematics.

Balakrishna also argued that if a phone’s security is compromised, both Push and Verified Push would become indistinguishable, as the three-digit code could still be intercepted. 

“I think that it would waste a lot of time,” said Jay Maniyar, a graduate student majoring in business analytics. “I think they can come up with a better option that could facilitate an easier process.” 

The University declined to comment when asked to offer further insights on the rationale behind extending this security layer to all users except students.

Harshit Bhavnani contributed to this report.

© University of Southern California/Daily Trojan. All rights reserved.