As some of you may know, I previously wrote an article titled: IU Exposed: Why You Should HATE DUO Login in December. The article featured many problems students including myself had with DUO Login and how it was disrupting our lives as students. A couple of weeks ago, the article caught notice of the Chief of Staff at the Office of the Vice President for Information Technology & CIO, Daniel Calarco. This led to a meeting with him where I would get the opportunity to not only share my ideas for how to improve the User Experience of DUO but also hear the backstory as to why it was such a necessity.
My first reaction was extreme excitement because my writings are actually getting noticed to a point where I could make real change. My second reaction was to reach as many students as possible and seek their thoughts on how to improve DUO; considering how clear it was that we can’t get rid of it. I wanted to ensure that whatever I expressed at the meeting was a representation of what the students wanted. The replies came rolling in and I took note of them all. By the time 4 PM hit, I was well well equipped for a meeting I hoped would mean a compromise for both the students and IT.
At the meeting, I definitely had my journalist hat on. I was critical and skeptical of everything said. I wanted the students to have the full truth on DUO Login. I am going to make the long story of why DUO was created more brief, to spare those of you who have a short attention span. About 2 years ago, various administrators at Indiana University (IU) started receiving a message that said, “You have a message from Staff Portal, click here to see what your message is.”
The link that was on the message would take the user to a malicious site that was created off the IU network. I’m sure you are all aware of the dangers of these sites and how they may steal personal information and/or install viruses on your computer. This site looked exactly like the CAS login screen (One.IU) where you access Canvas, except it was a mock version of it. The site took the credentials the user typed in and passed them through CAS to see if they were functional. If it did work, it would send you to One. IU, but no message would be found. Users did not think anything of it and figured it was maybe just a glitch or mistake in the system and forget about it. In an attempt to stop the issue, IT started blocking the malicious site and having those who had already visited create a new passphrase. However, the cybercriminals adapted by changing the domain names, eventually they had about 800 users turning over their username and passphrase.
At this point, some of you may be curious as to how much access IT has...at least I was. They do have access to where you have visited while you utilize their wifi and wired networks. This is all courtesy of the Communications Assistance for Law Enforcement Act (CALEA). So just keep that in mind, they are always watching. However, they do not filter content that they find objectionable, Calarco explains it as, “We are not the thought police.”
Furthermore, when the problem seemed to be handled, it showed its ugly face again as cybercriminals tried to redirect paychecks and view W2s containing social security numbers. This issue continued for some time as IT played “whack a mole” every time the cybercriminals tried to access information. Eventually, DUO was born and put on financial information or anything relating to social security. It successfully got rid of the cybercriminals. Interestingly enough, this issue did not really affect students, it was more faculty.
So, why are we suffering because of it? IU is being proactive. There have been cases in higher education where students have had their grades stolen or students changing their grades for assignments. Also, if we place DUO just on certain applications, you would still have access to the other ones if you go through the authentication for an application without DUO.
With that being said, I brought in 5 ideas on how to improve DUO. Three of them were squashed after going through the backstory of DUO and one already had a solution that was just not as publicized. Despite this, I was still left wondering about one of my ideas that had not been touched yet. The idea was modified from multiple student feedback about a longer login. Many students wanted to have a login that lasted the whole week. However, that would bring back the initial issue. My idea was to have DUO remember you for 24 hours. This way, the students are happy and IT has little worry about the accounts being insecure.
First, most of us do not stay awake for 24 hours so in the time we are not using DUO (while we sleep) our accounts won’t stay active. Second, the students will only have to login once at the beginning of the day for authentication. Once a day for two-step seems reasonable and safe considering DUO logs you out of completely anyways if you are inactive for too long. When brought up to Calarco, he was open to bringing it up to the SafeIT committee, since the 12 hour Remember Me is going well.
About a week ago, I received an email shortly after noticing the change when logging into One. IU myself. Calarco informed me that they would be extending the Remember Me period from 12 hours to 24 hours. It will be monitored to ensure no accounts are compromised and there is an extreme promise that this new change will be permanent. Although it may be rolled back to 12 hours if issues start to arise due to the new change, it is nice to at least see IT attempting at hearing our complaints and catering to us for a better experience with DUO. Many of the students are ecstatic with the new change, so a huge thank you to the IT team. It was also amazing that an article I wrote led to such a huge impact for the students on campus at IU.
P.S. If you want more reason to hate Purdue, they are contemplating filtering content on their network, something IU does not agree with.
Without further ado, here are some ways to improve your experience with DUO Login:
Login in the Morning (24 Hour Remember Me)
First, if you have not already been checking the box to remember you for 12 hours, you have been complicating your life. With the Remember Me function extending from 12 hours to 24 hours now, you can save yourself from “doing the two-step” more than necessary. To make your life easier, login to One.IU in the morning so that your 24 hour extends throughout the whole day, rather than having to go through two-step again midday.
Google Voice
This function takes a bit to set up, but in the end, saves you some time. It also requires you have a personal Google account as using the IU Google account defeats the purpose of two-step. Google Voice allows you to forward text messages to your Google account such as your DUO login codes. This is one extremely helpful function when your phone is lost or dead. Logging in and doing the two-step can all be completed on your computer.
Hardware Token
This one is my new favorite, courtesy of Calarco. The hardware token can be retrieved from your campus Support Center. The Herman B. Wells Library is one location I know for sure gives them out for free and helps you set them up. The code is only tied to your account. You press the button on the token and it gives you a code that you just put in when prompted with DUO. It’s about the size of your thumb and fits on a lanyard. This is another easy way to get into DUO without your phone, especially when you’re trying to avoid using your phone in class.
U2F Token
Similar to the hardware token, the U2F Token you can purchase on Amazon for about $10-20. The U2F Token is inserted into the USB port of your computer and when DUO is prompted, you tap the token and you are immediately authenticated into One.IU. No codes, no typing anything in, no phone necessary.
Call IT Support Center
Open 24 hours a day, IU’s Support Center can be contacted at 812-855-6789. When you call after getting locked out of One.IU, they ask a series of questions only you as a student would know. For example, What class did you take two semesters ago at eight in the morning? They ask things pertaining to your academic records and verify your identity over the phone. From there, they give you a code that lasts nine hours to unlock your account.
