Change in Multi-Factor Login Begins Fall 2023

Rollout of the new multi-factor prompt for authenticating into services and websites this fall. Everyone will be moved to the new prompt by January 2024, since the company UF currently uses for its authentication service (DUO) is deprecating the current prompt on March 31, 2024. The schedule for moving the UF community to the new prompt is:

● Oct. 3   Primary Affiliation: Staff           

● Oct. 17 Primary Affiliation: Faculty 

● Nov. 7  Primary Affiliation: Students 

● Jan. 9   Remaining community members

The UF community will experience these changes:

User Interface
There is a new look and feel of the prompt screen (shown).

2FA Method Selection Change
UF community members currently select a verification method such as a passcode, mobile device push, or hardware token. The new prompt will select the most secure method available based on what a user has registered for.

Please contact the UFIT Help Desk if you have any questions or concerns about the changes to the multi-factor prompt.

MFA Bombing On the Rise at UF

MFA bombing attacks are increasing at UF. MFA bombing is a tactic used to circumvent your UF account’s multi-factor authentication measures. During an MFA bombing, the attacker uses your stolen username and password to repeatedly send ‘Duo Push’ notifications and/or phone call requests, hoping after multiple notifications you will give up and approve the Duo request. Approval will give the attacker access to your GatorLink account. If an attacker can MFA bomb you with repeated Duo requests, it means your GatorLink password is compromised and the attacker is trying to sign in using the stolen password.

To stop the onslaught of Duo attempts, you’ll need to reset your GatorLink password. Visit the GatorLink Account Management portal, select “Forgot/Reset Your Password,” and follow the prompts after selecting “Self-Service Reset.” You will be asked to provide your UFID, Gatorlink username, and additional information used to verify your identify.

It is important to use “Forgot/Reset Your Password,” and not “Change Your Password,” because the latter requires you to sign in–and you may accidentally approve the attacker’s Duo Push instead of your own requested notification!

The Duo requests should stop soon after resetting your password. (It may take a few moments for the attacker to get kicked out.) For more information on MFA bombing, visit UF’s Information Security website’s MFA bombing page.

Tips for Multi-Factor Authentication Efficiency

Since UF adopted multi-factor authentication (MFA), the number of compromised GatorLink accounts has decreased by 99.7%. Using the multi-factor authentication app provides additional protection to the university’s systems and services. This means your personal information as well as your research files, proposals, and all university data, is better secured.

Tips to enhance your MFA experience:

1. Add a second device to your MFA account, in case your primary device is lost or stolen. UFIT created a short video explaining how to add a device.
2. Use a passcode to authenticate even without an internet connection or cell service. Open the Duo app, then tap the University of Florida drop-down tab on the home screen. Type in the six-digit code provided when logging into UF services.
3. Check the “Remember Me” option to not be prompted to authenticate for 10 hours, as long as you’re using the same browser on the same device.

Visit it.ufl.edu/2fa or contact the UF Computing Help Desk (helpdesk@ufl.edu, 352-392-HELP/4357, 132 Hub) for assistance using multi-factor authentication.