reads stop, look, think.

Duo Needs You

This year UAH expanded its use of Multifactor Authentication (MFA) solution Duo to include students.  Besides being a cyber-insurance requirement, protecting your account with Duo reduces the chance that malicious actors can gain unauthorized access to your UAH email or student account and make unauthorized modifications.

However, Duo is not perfect and there are social engineering attacks that can work against MFA solutions like Duo.  These attacks won’t work if you are cyber-aware and you stop, look, and think.

Attack #1 - Social Engineering Via Text Messages

Unfortunately, cyber attackers will sometimes send text messages pretending to be Duo and asking you to provide the 6-digit code from your Duo app.  They will then attempt to log in and if they are able to compromise your username and password (via past attacks to get access to your credentials) then if they can convince you to hand over your Duo passcode then they will be able to gain access to your account.  

Always be suspicious of text messages requesting the Duo passcode if you have not attempted to log on to UAH services in the last 30 seconds or so.  These tricks require the attacker to put in a Duo MFA code very quickly so there could be repeated urgent requests for the passcode from a strange number that Duo does not normally use.  

Attack #2 - MFA Fatigue

One of the most common attacks against MFA solutions is when an attacker sends a flood of login attempts in the hopes that the user will get tired of the notifications in the Duo App and click “accept” at least once to make the notifications stop.  

If you receive multiple notifications via the App, SMS messages, or phone calls attempting to get you to complete your UAH login with Duo, please report this information to the Help Desk who will notify the appropriate personnel at UAH.

Attack #3 - User Inattention

We are all pulled in many different directions, multitasking at work, at home, and everywhere we go.  Most MFA attacks rely on valid users’ lack of attention and not taking that extra second to verify an MFA request is a valid one.  If you receive a login notification, take an extra moment and verify the provided location information in the Duo prompt in the app.  Notification - strange place and time - the user didn’t pay attention to the location provided in the push notification.  While the location is not perfect (my location at home shows up as Jacksonville, AL for some reason), at least the location is relatively close.  We have seen attacks against UAH accounts that originated on different continents compared to where the valid user was at the time.  Needless to say, this is a strong indicator of an ongoing attack against MFA.

Should you receive a suspicious notification, please click the Deny button on your Duo app and report the issue to the UAH helpdesk at 256.824.3333 or

MFA will prevent most password-based attacks but there are still attack vectors that work against MFA.  Be diligent.  Be suspicious.  Report any Duo notifications that you do not recognize or cannot explain to OIT or your local IT provider.  Be prepared and cyber-aware!