Duo Security Update: Duo Multi-Factor Authentication (MFA) Attacks


Cybersecurity attacks against Higher Education are on the rise and Duo Multi-Factor Authentication (MFA)  is a primary target.  Beware of fraudulent Duo prompts by phone, email, text message, or Duo mobile application push requests. 



Key Take Away

REMINDER:  You initiate Duo Multi-Factor Authentication attempts.  Dartmouth will never call you for a passcode or PIN, send erroneous Push notifications, or email password requests.

  • Never approve a Duo authentication request you did not initiate.
  • Where possible, use Duo Mobile App.

  • Avoid sharing Duo passcodes with third-parties.

  • Please report fraudulent Duo calls, push requests, and emails.  Click to report a Duo MFA attack.


What is Multi-Factor Authentication?

There are three common factors used for authentication:

  1. Something you know (e.g., a password).
  2. Something you have (e.g., a smart card or hardware token).
  3. Something you are (e.g., your fingerprint or other biometric marker).

Using your user name and password in combination with something you have or something you are constitutes multiple factors of authenticity to access college resources.  Beyond a user name and password, you are proving your identity as an authorized Dartmouth user.

In the event your user name and password is stolen, MFA is an additional layer of security to safeguard access to college resources.  Attackers cannot abuse email accounts, faculty and staff records, or network and system connections without passing Duo MFA.

Types of MFA Attacks

Attackers are gaining sophistication in their attempts to steal credentials by using human vulnerabilities in the authentication chain. 

Common attacks include (In order of prevalence):

  • Push Attacks - Forged Duo Mobile push requests.

  • Phishing or Email Attacks - Phishing emails or text messages with links to Dartmouth themed Duo authentication pages

  • Phone Attacks - Unsolicited phone calls from Duo.

NOTE:  If you receive an unsolicited Duo authentication request, deny the request and report it immediately.  Click to report a Duo MFA attack.


Push Attacks

If you are using the Duo Mobile App, you have the option to push an authentication request to your mobile phone.  A push request will display on your screen to Accept or Deny.  Learn more about Duo Push.

A push attack presents as one or more authentication requests to your mobile phone for which you did not prompt. 

Ask yourself:

  • Did I initiate the push request?
  • What is the location of the push request?  Does the location match your location?
  • Does the push request match a prompt from a resource you require (e.g., Email, VPN, Zoom)?
  • How do I prevent future push attacks?

Protect yourself:

  • If you receive a push request you did not initiate, deny the request.
  • Review location details in the push notification.  Compare your current location with location of push request.  A mismatch in location is suspicious.
  • A mismatch in application request and application details in the push notification is suspicious.
  • If you did not initiate the push request, your user name and password have likely been compromised.  It is strongly recommended to reset your password.
  • Mark a Duo Push as fraudulent in Duo Mobile app
  • More on protecting yourself from push attacks.


Phishing or Email Attacks

Commonly called "phishing", email attacks follow themes to entice users to click a link or open an attachment. Attackers embed links in email to Dartmouth themed Duo log in pages.  If a user enters a user name and password at these very familiar, well crafted, fake log in pages, their credentials have likely been stolen, and their account is compromised.

Protect yourself:

  • If you have been victim of a phishing attempt via email and you exposed your user name or password, please change your password immediately, and report a Duo MFA attack here.


Phone Attacks

One method used to verify an access request is to have a phone call initiated to a number you register with Duo.  Currently, if you accept a call from Duo and press any key, you are granting access to your account.

Unsolicited calls for Duo authorization present a phone attack.

Protect Yourself:

  • Authentication calls from Duo will only come from (603) 646-2999.
  • Dartmouth personnel will never ask for your password or Duo passcodes.
  • Deny calls you did not initiate.
  • When possible, use Duo Mobile App. 
  • Report fraudulent Duo calls.


Article ID: 146335
Wed 8/31/22 3:58 PM
Thu 9/8/22 10:23 AM