An overview of the Duo authentication options currently available at the University of Wisconsin-Platteville and considerations for each.
The following table provides a comparison of the Duo authentication methods currently available:
| Feature / option |
Hardware fob issued by UW-Platteville
(Contact the ITS Help Desk to request a fob)
|
Smartphone or Tablet with Duo Mobile App, using the following method for authentication:
|
Smartphone or Tablet with Duo Mobile App, using the following method for authentication:
|
Requesting a one-time code to be sent to a mobile device by Duo via SMS text message |
| Entering the one-time passcode from the Duo Mobile App |
Push Notification to the Duo Mobile App |
| Recommended by National Institute of Standards and Technology (NIST) as an option for the “something you have” factor of authentication |
Yes |
Yes |
Yes |
No |
| Requires the individual to have a physical device to be registered in the Duo Authentication Service |
Yes |
Yes |
Yes |
No |
| When used as the second factor of authentication, requires the individual to have physical access to the registered device |
Yes |
Yes |
Yes |
No |
| The individual initiates the authentication information for both the first and second factor, allowing them more control over the entire authentication process. |
Yes |
Yes |
No |
No |
| Authentication information is sent over an encrypted data connection |
Yes |
Yes |
Yes |
No |
| After the initial setup and registration of the device, can this method be used for authentication when there is no network connectivity available - for example, no connection to a wireless or cellular network? |
Yes |
Yes |
No |
No |
Additional points for consideration when selecting Duo Authentication options
| Type of Authentication Device |
Additional Points for Consideration when Selecting Duo Authentication Options |
| Hardware fob issued by UW-Platteville |
- Recommended option for individuals who are working from areas with limited cellular network coverage, those who do not use a smartphone or tablet, or those who do not want to install the Duo Mobile app on their smartphone or tablet.
- The hardware token or fob is a single purpose device.
- Provides highest level of assurance for authentication and protection of the individual’s account, reducing the risk of unauthorized use of the individual’s account.
|
| Smartphone or Tablet with the Duo Mobile App installed and configured, using the Passcode feature |
- Requires a supported and properly configured Smartphone or tablet
- Network connectivity to the Smartphone or tablet is required for the initial installation of the app and when applying software updates.
- The Passcode feature of the Duo Mobile App can be used when the smartphone or tablet is not connected to a Wi-Fi or cellular data network, such as in locations where Wi-Fi or cellular data coverage is not available.
- Consistent use of the Passcode feature may provide a method to be alerted if the user’s primary credential were compromised.
- If the user is consistently using the Passcode feature for their second factor of authentication, and they receive a random Push notification request they did not initiate, it may be an indicator that the user’s primary authentication credentials have been compromised and a cybercriminal is attempting to use their compromised credentials to perform the second factor of authentication and access resources.
- A Smartphone or tablet is not a single purpose device, as it is used for functions other than authentication.
- When the Smartphone or tablet with the installed Duo Mobile App is only accessible by the individual associated with the account, this authentication option provides a high level of assurance for authentication and protection of the individual’s account, reducing the risk of unauthorized use of the individual’s account.
- Increased risk to the individual’s account and authentication process if the Smartphone or tablet is used by or shared with other individuals.
|
| Smartphone or tablet with the Duo Mobile App installed and configured, using the Push notification feature |
- Multiple steps are required to complete authentication. A verification request is pushed to the individual who has physical access to the device. When the notification is received, the individual must verify the source of the request prior to selecting the appropriate response of Approve or Deny
- A Smartphone or tablet is not a single purpose device, as it is used for functions other than authentication.
- Use of the push notification requires adequate network coverage. The push notification will not be successful when the smartphone or tablet is not connected to a Wi-Fi or cellular data network, such as in locations where Wi-Fi or cellular data coverage is not available.
- Increased risk of unauthorized use if the Smartphone or tablet is used by or shared with other individuals.
- Multiple steps are required to complete authentication. A verification request is pushed to the individual who has physical access to the device. When the notification is received, the individual must verify the source of the request prior to selecting the appropriate response of Approve or Deny.
- Sufficient time is needed to carefully evaluate the push notification message to determine if the request was initiated from an authentication activity of the individual, or if the request is the result of fraudulent activity initiated by a cybercriminal or unauthorized user attempting to compromise the account.
- If the individual’s password had been compromised, the push notification may have originated from the cybercriminal attempting to use the compromised credentials to access a resource.
- If the push notification is not properly reviewed prior to selecting “accept”, the cybercriminal will have achieved successful authentication by compromising the second form, and as a result, will have full access to use the resource(s) using the compromised credentials.
|
| SMS / text message |
- The use of SMS is not recommended by NIST as a form of authentication, as SMS technology is not “something you know”, “something you have”, or “Something you are”, and is not tied to an individual’s identity.
|
Need help?
If you have questions, please contact the ITS Help Desk at 608.342.1400 or helpdesk@uwplatt.edu. You may also visit the Help Desk on the first floor of the Karrmann Library.