FAQ End of SMS for Duo

Why did the university eliminate SMS passcodes as an option in Duo for Multi-factor Authentication?

While SMS passcode-based authentication was once common, it is now considered less secure* due to vulnerabilities like SIM swapping and phishing.

 Using other factors such as a key or app offers a more robust and industry-standard approach to securing access, aligning with best practices used by financial institutions, government agencies and peer universities. The university handles sensitive data that requires strong protection like personal information, academic records and research information.

*The National Institute of Standards and Technology (NIST) has deprecated SMS as a secure MFA method since their 2017 revision of Special Publication 800-63.

Is the university’s data really sensitive enough to justify this change?

Yes. University systems contain confidential student, faculty and research data. Protecting this information is a legal and ethical responsibility, and stronger authentication methods help prevent breaches and identity theft.

Why not require Multi-factor Authentication only for accounts with sensitive data?

Security is most effective when applied consistently. Selective enforcement creates gaps that attackers can exploit. A unified approach ensures that all users benefit from stronger protection and simplifies support and policy enforcement.

What if I don’t have access to a smartphone?

We understand that not everyone has access to the same technology. The university offers alternative authentication options such as hardware tokens. Please contact the Help Desk to explore these options.

Why is there a limit on Multi-factor Authentication bypass codes?

Limits on bypass codes help prevent abuse and maintain system integrity. Unlimited bypass codes can undermine security benefits. Bypass codes are one-time solutions available from the Help Desk to use as a last resort if no other method of MFA is available. If you’re experiencing issues, the Help Desk can assist with temporary access and explore long-term solutions.