University of Michigan community members who use Duo two-factor authentication push notifications will be required to enter a three-digit code when logging into U‑M Weblogin, starting at noon Sept. 25.

This change aims to enhance the university’s defenses against phishing and identity theft, making it significantly harder for malicious actors to impersonate legitimate users. While the new process introduces an additional step in the login routine, it does not increase the frequency of authentication prompts people will receive.

“I am grateful to all of you for using the Duo verified push. This additional step adds an important layer of security to our authentication process,” said Ravi Pendse, vice president for information technology and chief information officer. “It will protect our data, our community, and each one of us.”

This change only affects users who receive Duo push notifications on their mobile device.

Currently, when a user logs in using U-M Weblogin, they receive a Duo prompt on their computer screen instructing them to approve or deny the push notification on their mobile device by clicking a green “Approve” or red “Deny” button. Under the new process, the Duo prompt on their computer screen will display a three-digit code. Users will enter this code in the push notification on their mobile device and click “Verify,” or click “I’m not logging in” if they did not initiate the login. 

Michigan Medicine transitioned to this change Aug. 9.

Users should ensure their Duo Mobile app is updated to the latest version. The most recent version of Duo Mobile is available from Google Play Store and the Apple App Store for devices running Android 11.0 or later and iOS 15.0 or later.

They should only accept Duo pushes that they initiated and report any unauthorized prompts via the Duo Mobile app by selecting “I’m not logging in” and “This is suspicious.” People receiving Duo prompts they did not initiate should change their password immediately.

“Our goal is to make the university’s authentication process as secure as possible without compromising convenience,” said Asmat Noori, interim executive director of information assurance and chief information security officer. “We all play a role in keeping our systems secure, and this update is an important step forward.”

The introduction of the three-digit code requirement for Duo verified push notifications is part of U-M’s broader initiative to continually improve cybersecurity. By implementing these changes, the institution underscores its commitment to ensuring a safer digital environment for everyone.