Project Status: Complete
On January 27, 2026, some Two-Step Verification (Duo) settings were modified to enhance security and increase the support feature set of the service.
Who Was Affected?
- All users of Two-Step Verification (Duo) were affected.
- This included users who were required to use Two-Step Verification for the Entra ID tenant on January 26, 2026.
What Changed?
| Setting | Previous State | What Changed | Benefits | User Experience Change |
|---|---|---|---|---|
| Duo Mobile App – Instant Restore | Instant Restore was not enabled | Instant Restore enabled for recovery of Duo-protected accounts; Instant Restore details | Reduces support burden and allows users to self-recover their accounts when they change phones | None |
| Phone Callback Keys | Users could press any key to authenticate | Users press different keys to authenticate or report fraud: * - to verify | Allows users to report suspicious or fraudulent activity (e.g., they did not initiate a request); reduces risk of accidentally pressing a key to authenticate a malicious action | For the phone callback option, users must press “*” (asterisk) to authenticate |
| SMS Passcodes | SMS codes did not expire | Codes expire after 1 minute | Prevents codes from being saved up and/or phished and used later | Users need to use their codes relatively promptly once received |
| SMS Passcodes | SMS message had no information about the sensitivity of the SMS passcode | Messaging added: “Penn support will never ask for your code” | Warns users that the code should not be shared and the University will never ask for the code | None |
| Block Duo Push Attempts | Any number of Duo Push attempts could occur in rapid succession | Block push attempts that occur within 15 seconds of an unanswered attempt; blocked attempts will be reported in the Authentication Log as “frequent attempts” | Prevents phishing activity and authentication fraud; prevents an excessive number of pushes being sent to a user all at once | Users must acknowledge a push as it occurs before requesting another push |
Help & Resources
- Users should contact their Support Providers for help.
- Support Providers may contact ISC Client Care for issues.
- For more information about Two-Step Verification (Duo), see the website.