Passcodes generated by the Duo mobile app have traditionally been HOTP (HASH-based one time password) codes. Many other passcode generating applications, e.g., Google Authenticator, Microsoft Authenticator, have used TOTP (TIME-based one time password) codes. HOTP passcodes remain valid until they are used while TOTP passcodes expire after 30 seconds.
In the past few months, Duo has added the TOTP feature to passcodes generated by the Duo mobile app. Our plans were to make a gradual move from HOTP to TOTP. That had begun for a number of staff in Information Technology. Those plans changed abruptly last evening when a number of UNI accounts became the victim of a phishing attack, one that not only stole the victim's password but also one or two Duo mobile app passcodes from each. The bad actors used that information to add their own device to the victim's Duo account, giving them continued access until the victim's password was changed. Not good!
To stem the tide last evening, Information Security made two changes, one temporary, one permanent, to Duo policy.
- The Duo mobile app will now generate TOTP passcodes instead of HOTP passcodes. This is a permanent change and should be largely transparent to the few users using mobile app passcodes for logging in. There are only 50-60 users of this method per day.
- Duo mobile app passcodes were temporarily disabled to stem the tide of account takeovers. This occurred at approximately 7:30pm last evening and will be reverted this morning.
Thank you for your cooperation and understanding. Also, special thanks to the small team of talented IT staff that worked several hours last evening to respond to and mitigate this incident.