Scheduled Service Change: Two-Step Login (Duo) security changes on 9/23/25
Event:
2025-09-23 09:00:00
Expected Duration:
2025-09-23 14:00:00
Status:
Closed
Brief Description:
On Tuesday, September 23, 2025, CIT will require Duo Verified Push for all Duo Mobile app users and will remove the Duo Phone Call and Duo SMS Passcode options due to increased security threats.
User Impact:
Users will no longer be able to use voice phone calls or SMS passcodes to log in, but can use the Duo Mobile app or other options (yubikeys, touch id on your laptop, hardware token, etc).
Services Affected:
Authentication and Authorization
Subsites Affected:
Two-Step Login
Full Description:
On Tuesday, September 23, 2025, Cornell continues the rollout of changes intended to improve Two-Step Login (Duo) security.
In response to increased threats to Cornell NetID passwords and university services, CIT will be requiring Duo Verified Push for all Duo Mobile app users and removing the Duo Phone Call and Duo SMS Passcode options. This change will affect faculty, staff in academic units, retirees, students, and some alumni.
Looking ahead, on November 4, these changes will also be required for those who are not currently using the Duo Mobile app. After Nov. 4, Cornell accounts without the Duo Mobile app on a smartphone will need to use a USB security key or hardware token to log in. Those who log in to CU VPN should choose the hardware token.
During September, and October, groups within the Cornell community will receive direct email notifications letting them know about the timing of the changes to their accounts.
Public information about these changes is available on IT@Cornell at Important Two-Step Login (Duo) Changes Continue on Sept. 23.
In response to increased threats to Cornell NetID passwords and university services, CIT will be requiring Duo Verified Push for all Duo Mobile app users and removing the Duo Phone Call and Duo SMS Passcode options. This change will affect faculty, staff in academic units, retirees, students, and some alumni.
Looking ahead, on November 4, these changes will also be required for those who are not currently using the Duo Mobile app. After Nov. 4, Cornell accounts without the Duo Mobile app on a smartphone will need to use a USB security key or hardware token to log in. Those who log in to CU VPN should choose the hardware token.
During September, and October, groups within the Cornell community will receive direct email notifications letting them know about the timing of the changes to their accounts.
Public information about these changes is available on IT@Cornell at Important Two-Step Login (Duo) Changes Continue on Sept. 23.
CIT TDX ID:
1920277
Timeline of Changes
| Description | Current Status | Date | Time |
|---|---|---|---|
On Tuesday, September 23, 2025, Cornell continues the rollout of changes intended to improve Two-Step Login (Duo) security. In response to increased threats to Cornell NetID passwords and university services, CIT will be requiring Duo Verified Push for all Duo Mobile app users and removing the Duo Phone Call and Duo SMS Passcode options. This change will affect faculty, staff in academic units, retirees, students, and some alumni. Looking ahead, on November 4, these changes will also be required for those who are not currently using the Duo Mobile app. After Nov. 4, Cornell accounts without the Duo Mobile app on a smartphone will need to use a USB security key or hardware token to log in. Those who log in to CU VPN should choose the hardware token. During September, and October, groups within the Cornell community will receive direct email notifications letting them know about the timing of the changes to their accounts. Public information about these changes is available on IT@Cornell at Important Two-Step Login (Duo) Changes Continue on Sept. 23. |
2025-09-18 | 11:35:37 |