Opinion: Duo Two-Factor Verification Has Gone Too Far
Duo two-factor authentication is totally out of control. While we were away from campus and enjoying winter break, the university quietly made a major change for every student, faculty and staff member.
In an email on Dec. 19, Information and Technology Services announced “Increased Account Protection with Duo App.”
“Due to the increasing sophistication and success of phishing and account compromise attacks, we are enhancing our login security. Effective immediately, all logins will require Duo Verified Push. This method ensures that an added layer of protection is in place to keep campus accounts and systems secure,” the email read.
Rather than occasionally pressing a button on the Duo App to confirm a sign in, we now have to enter a six-digit code nearly every time we want to sign in to use D2L.
Some may dismiss me as a cranky student who is too lazy to open his phone, but I have some concerns. Side note: my prior university did not use such an app, and two-factor authentication was one of my largest deterrents from attending this university.
I am not here to say that the person or people who made this decision are bad people or had malicious intentions in doing this, quite the opposite.
In economics, there is something called the Laffer curve. It is used to represent the relationship between tax rates and revenue.
If the tax rate is 0%, there is no revenue for the government, but if the tax rate is 100%, no one would work and the revenue would also be zero.
Thus, there must exist a theoretical tax rate where the government can collect the most tax dollars. Making the tax rate higher would result in less overall revenue.
How does this relate to Duo? There has to be a point where creating additional security measures would hurt users more than they would make users safer.
So, the question should be asked, how much security is enough?
Why shouldn’t we be required to use fingerprints on our phone to confirm we are logging into D2L? Retina scans?
Also, the email references “increasing success of phishing scams”, but I do not recall any warnings from the university about such an issue. Do you?
I ask that the university repeals the recent decision to increase account protection and take Duo back to how it was before. We deserve a more robust explanation for a decision that brings such a change to the way this university operates.
