Another tip in a series provided by the Offices of Information Security, Information Systems & Computing and Audit, Compliance & Privacy

Duo Mobile is Penn’s supported application for two-factor verification. Penn recommends using the Duo Push method for verification.

Verified Duo Push was implemented in October  2024 for all PennKey-protected websites to provide additional security. 

Now, when you access a PennKey-secured resource with Verified Duo Push, you will be required to enter a three-digit code from your computer or tablet into Duo Mobile instead of selecting “Deny” or “Approve.” Requiring the code helps prevent “push fatigue” or “push harassment,” which are cyberattacks where hackers attempt to compromise resources by repeatedly sending verification pushes when you have not initiated the verification. 

By sending pushes repeatedly, hackers hope you will become confused or frustrated by repeated pushes, which will trick you into approving illegitimate access. Adding the three-digit code helps to ensure that the push is a legitimate verification request you made. Only approve pushes for requests that you have initiated, and do not provide the three-digit code to anyone.

For more information on two-step verification: https://www.isc.upenn.edu/two-step-quick-start.

--

For additional tips, see the One Step Ahead link on the Information Security website: https://www.isc.upenn.edu/security/news-alerts#One-Step-Ahead.