Information Security Removing the "Call Me" Option in Duo MFA

05/02/2023
By James Packard

UML Information Security is continually evaluating cybersecurity protocols and practices to ensure the safety of our UMass Lowell community and systems. As part of this, we will be making a change to our Duo multi-factor authentication practices to enhance security.

On Thursday, June 1,2023, we will be removing the Duo phone call (“Call Me”) option to authenticate when logging into all UMass Lowell systems protected by Duo. Remaining choices for the second authentication include:

• Duo mobile verified push (preferred)
• Duo mobile passcode
• SMS (text message)
• Duo hardware tokens
• Security Keys (i.e. YubiKeys)
• Apple Touch ID

Currently 83% of our campus community use the Duo verified push via the Duo mobile application. It is the most convenient and secure option for the second factor. Please visit www.uml.edu/mfawww.uml.edu/mfa to manage your settings and configure your device for Duo verified push. If you need additional assistance, please contact Tech Services at 978-934-HELP.

Why are we doing this?

We want to use the most secure MFA methods available to protect university data, accounts, and systems. Additionally, we have seen an increase in “MFA fatigue” or “MFA prompt bombing” attacks where threat actors repeatedly use the “Call Me” feature to harass users to accept the second factor request. The attackers hope that the recipient will eventually grow tired of (or become “fatigued” by) the repeated requests and eventually approve the login -- giving the attacker access to the account.

What if I don’t have a smartphone?

Although not as secure, you can still use SMS (text message) as your second factor. As stated above, you can use the Duo hardware token or security keys as the second authentication factor. If you lose your hardware token or forget it at home or the office, you can still contact Tech Services for a One-Time Passcode (OTP). For faculty and staff, please contact Tech Services if you need a hardware token.

If you have any questions, please feel free to contact infosec@uml.edu.