Security - Comparing Duo authentication methods

An overview of the Duo authentication options currently available at UW-Platteville and considerations for each

A comparison of the Duo authentication methods currently available at UW-Platteville

Feature / option

Hardware fob issued by UW-Platteville (contact the ITS Help Desk to request a fob)

Smartphone or Tablet with Duo Mobile App, using the following method for authentication:

Requesting a one-time code to be sent by Duo via SMS

Entering the one-time passcode from the Duo Mobile App

Push Notification to the Duo Mobile App

Recommended by National Institute of Standards and Technology (NIST) as an option for the “something you have” factor of authentication

Yes

Yes

Yes

No

Requires the individual to have a physical device to be registered in the Duo Authentication Service

Yes

Yes

Yes

No

When used as the second factor of authentication, requires the individual to have physical access to the registered device

Yes

Yes

Yes

No

The individual initiates the authentication information for both the first and second factor, allowing them more control over the entire authentication process.

Yes

Yes

No

No

Authentication information is sent over an encrypted data connection

Yes

Yes

Yes

No

After the initial setup and registration of the device, does the device require network or cellular connectivity to use the device for authentication?

No

No

Yes

Yes

Additional points for consideration when selecting Duo Authentication options

Type of authentication device

Additional points for consideration when selecting Duo authentication options

Hardware fob issued by UW-Platteville

  • Recommended option for individuals who are working from areas with limited cellular network coverage, those who do not use a smartphone or tablet, or those who do not want to install the Duo Mobile app on their smartphone or tablet.
  • The hardware token or fob is a single purpose device.
  • Provides highest level of assurance for authentication and protection of the individual’s account, reducing the risk of unauthorized use of the individual’s account.

Smartphone or Tablet with the Duo Mobile App installed and configured, using the Passcode feature

  • Requires a supported and properly configured Smartphone or tablet
  • Network connectivity to the Smartphone or tablet is required for the initial installation of the app and when applying software updates.
  • The Passcode feature of the Duo Mobile App can be used when the smartphone or tablet is not connected to a cellular data network, such as in locations where cellular data coverage is not available. Consistent use of the Passcode feature may provide a method to be alerted if the user’s primary credential were compromised.  If the user is consistently using the Passcode feature for their second factor of authentication, and they receive a random Push notification request they did not initiate, it may be an indicator that the user’s primary authentication credentials have been compromised and a cybercriminal is attempting to use their compromised credentials to perform the second factor of authentication and access resources.
  • A Smartphone or tablet is not a single purpose device, as it is used for functions other than authentication.
  • When the Smartphone or tablet with the installed Duo Mobile App is only accessible by the individual associated with the account, this authentication option provides a high level of assurance for authentication and protection of the individual’s account, reducing the risk of unauthorized use of the individual’s account.
  • Increased risk to the individual’s account and authentication process if the Smartphone or tablet is used by or shared with other individuals.

Smartphone or tablet with the Duo Mobile App installed and configured, using the Push notification feature

 

 

 

 

 

 

 

 

 

  • Multiple steps are required to complete authentication.  A verification request is pushed to the individual who has physical access to the device.  When the notification is received, the individual must verify the source of the request prior to selecting the appropriate response of Approve or Deny
  • A Smartphone or tablet is not a single purpose device, as it is used for functions other than authentication.
  • Increased risk of unauthorized use if the Smartphone or tablet is used by or shared with other individuals.
  • Multiple steps are required to complete authentication.  A verification request is pushed to the individual who has physical access to the device.  When the notification is received, the individual must verify the source of the request prior to selecting the appropriate response of Approve or Deny.
  • Sufficient time is needed to carefully evaluate the push notification message to determine if the request was initiated from an authentication activity of the individual, or if the request is the result of fraudulent activity initiated by a cybercriminal or unauthorized user attempting to compromise the account.
  • Use of the push notification requires adequate network coverage.
  • If the individual’s password had been compromised, the push notification may have originated from the cybercriminal attempting to use the compromised credentials to access a resource.  If the push notification is not properly reviewed prior to selecting “accept”, the cybercriminal will have achieved successful authentication by compromising the second form, and as a result, will have full access to use the resource(s) using the compromised credentials

SMS / text message

  • The use of SMS is not recommended by NIST as a form of authentication, as SMS technology is not “something you know”, “something you have”, or “Something you are”, and is not tied to an individual’s identity.

 

If you have questions, please contact the ITS Help Desk at 608.342.1400 or helpdesk@uwplatt.edu.  You may also visit the Help Desk on the first floor of the Karrmann Library.

 

See Also:




Keywords:token fob phone call sms text app smartphone smart phone cell recommend   Doc ID:116389
Owner:Louann G.Group:UW Platteville
Created:2022-01-31 15:46 CDTUpdated:2022-04-12 08:55 CDT
Sites:UW Platteville
Feedback:  1   1