Three months in: Duo Security update

At the end of the Fall 2018 term, IT Services flipped the switch on Duo Security and two-factor authentication at Miami University.

It’s been a few months now, and we have a good handle on our environment and users. But inquiring minds want to know: What does the Duo profile at Miami look like?

Get your drills ready: Numbers, numbers, numbers

Let’s drill down into some of the information surrounding Duo Security and the users we have in the system.

In total, there are just over 30,000 users in the Miami Duo system. Users might log in to Miami resources several times a day, from different devices even. During one 48-hour period near the end of February, for instance, there were 128,000 authentications. This is people checking their email, logging into BannerWeb, accessing classes in Canvas, and anything else that requires a Miami login.

Green Duo logo next to red Miami M

Here’s another huge number: Over 106,000 devices have been used to connect to Miami resources protected by Duo. Whoa! This means folks are registering more than one two-factor method to their Duo accounts—which is a great idea. For instance, if you lose or replace your phone, you’ll need to log in to manage Duo devices, so you’ll need that second factor regardless of whether it’s at the bottom of a river.

Browsin’ out of date

One of the most interesting statistics at our disposal is the number of users who need to update their browsers and operating systems. In fact, almost 20,000 devices are running out-of-date operating systems, and nearly 40,000 web browsers need to be updated as well.

Duo will work on web browsers that are 365 days out of date—after that, you will need to update. In general, though, it’s good to update technology when software and hardware providers push their system improvements, because some of those updates may include patches for bugs and other security-enhancing implements.

Bottom line: Update your software!

What does Duo prevent?

Now that we have looked at the numbers, let’s be real: What does all that mean?

The short answer is that Duo keeps us safe from what could otherwise be costly, unfortunate events.

Recently, IT Services investigated an incident where a student used a stolen faculty password to access the faculty member's Canvas grade book. The kicker? This happened a week before Duo was deployed. If this had happened a mere seven days later, the student would not have been successful—because they wouldn’t have had the second factor on the instructor’s account.

A recent phishing email is another perfect example of the work Duo is doing for us. A “click here” link in the email takes users to a page that looks nearly identical to the Miami login screen—which of course is a clever front in order to record unsuspecting users’ login credentials.

The great thing about having Duo, though, is that even if someone were to get your login credentials through nefarious means like this, they still wouldn’t be able to access your account—because they don’t have your second factor (e.g., your smartphone or landline) that’s used to acquire the two-factor code.


How are people using Duo?

Duo push and mobile passcode are the recommended authentication methods. These are fast, easy, and free. What’s more, the app can be used in situations where receiving a phone call or text is not an option. For instance, when you are traveling out of the country or when you have a class in a cell-service-lacking basement.

Just under 80 percent of our users authenticate via Duo push, where the smartphone app will send a push notification to a device and the user simply has to select a green checkmark to assure the system that they are who they say they are.

Around 6 percent use the mobile passcode option, which is accomplished by getting a code from the app and manually inputting it.

Great job, Miami!

For more information on using the mobile app, please see Duo’s own guidelines: