Duo Mobile (MFA) – Frequently Asked Questions (FAQ)


This article serves to explain what multi-factor authentication (MFA) and Duo Mobile are, and why they are necessary additions to Deakin's security.

Are you looking for Troubleshooting Information about Duo?

Table of Contents

What is MFA?

To further enhance security the Deakin Shield program will be implementing Multi-Factor Authentication, also known as "MFA" on key Deakin services that contain personal or sensitive information.

When you log in to Deakin University services you use your username to identify yourself and your password to prove your identity or authenticate yourself. There are many different ways to authenticate yourself to a service, and when categorising authentication methods together into groups, or "authentication factors", your password is considered to be "something you know". Other authentication factors include "something you have" such as a mobile phone, smart card or hardware token; and "something you are" which includes your fingerprint and other biometrics.

MFA requires you to prove your identity using more than one factor of authentication. In the MFA implementation currently underway your password, or "something you know", will be combined with either an app installed on your smartphone or a hardware token; "something you have".

By combining multiple factors of authentication your account is protected in the event that your password is stolen.


What is Duo Mobile?

The Deakin Shield project is using Duo Security to implement MFA because it provides a streamlined user experience. If you access other online services which require Multi-Factor Authentication you have experienced the process of copying a 6-digit One Time Passcode (OTP) from Google Authenticator or a hardware token into a web page. When using the DUO Mobile app, you can simply approve or deny a login by pressing a button on your Android or iOS device.


Why does Deakin need MFA?

Anti-malware and email filtering can only do so much to protect you from malicious software and phishing attacks designed to trick you into giving your password to a third party, and while everyone knows they should not use the same password for multiple services inevitably people forget this and use their Deakin University password on other services meaning if those other services are compromised not only does the attacker have your password for that service, but also your Deakin University password. Databases of passwords stolen from compromised services are readily available online for criminals to purchase and use with credential stuffing and other attacks.

Multi-Factor Authentication is needed to protect your personal information, information belonging to Deakin University and our online reputation.


How does MFA work?

Once your account has been configured to require Multi-Factor Authentication the next time you access an MFA enabled service you will be prompted to install the Duo Mobile app and link your smartphone to your account. This is a straightforward process with easy-to-follow on-screen instructions.

After your smartphone is enrolled you can then use the Duo Mobile app to approve logins or generate a OTP that you can enter.


Why can't I use my existing MFA application or token?

DUO Security provides a streamlined user experience through the use of push notifications, and enterprise management features allowing eSolutions to effectively support the thousands of staff and students who work and study at Deakin University.

Most third-party issued MFA tokens, like the one issued by a bank, are not able to be used because they are tied to the organisation that issued them. Other MFA tokens need to be plugged into a USB port on your computer making then unsuitable for authenticating when using a smartphone or tablet. Supporting third-party MFA applications such as Google Authenticator introduce additional complexity which makes it difficult to support and provide a good user experience.

Why can't Staff use SMS services or phone calls to provide a second authentication factor?

Multi-Factor Authentication is intended to protect your account in the event that your password is compromised by a third party, and this is achieved by isolating your second authentication factor from your password. Because your password can be used to login to Microsoft Teams to receive phone calls the use of phone calls as a second authentication factor is not secure.

Due to a rising number of high-profile attacks where SMS services have been hijacked most online services are removing support for text messages as a second authentication factor. For this same reason Deakin University is not allowing SMS or phone calls to be used as a second authentication factor.

Students are offered SMS in the event that there is no other alternative, such as using Duo Mobile to authenticate. This is included as a bypass feature.

What does Duo Mobile have access to on my phone?

Most importantly, Duo Mobile has no access to change settings on your phone. Duo Mobile cannot read your emails or SMS history. It cannot see your browser history. It cannot wipe or remove files on your phone. The visibility Duo Mobile does require is to verify the security of your devices, such as OS version, device encryption status, screen lock, and the ability to send notifications to your phone (for Push requests).

More Information: Duo Push Guide (which explains what Duo Mobile can, and cannot do)

What services will prompt me for MFA?

On the 20th of August 2019, MFA was applied to all Deakin applications that currently use 'single sign on (SSO).

Our tip is to keep the "Remember me for 7 days" tick box checked.

Why does Duo Mobile app need access to my camera?

When using MFA for the first time and enrolling your device the Duo Mobile app will use your camera to scan a QR code displayed on the screen. If you do not wish to give this permission to the DUO Mobile app you can also enrol your device using a link sent via email.

Would Duo Mobile need access to my mobile number?

Duo Mobile may use your mobile number in order to authenticate the device during the initial set-up. Deakin would not use your number for any other purpose.

How much data does a Duo Push request use?

While Duo Mobile does operate best while connected to the internet, it requires a very minimal amount of mobile data. Typically, a single Duo Push takes about 2 kilobytes (KB) per authentication.

There are understandable concerns that Duo Mobile may utilise a large amount of data throughout the average working month, however, Duo Mobile implores that you might only use up to 1 megabyte (MB) if you were to authenticate around 500 times in a single month—which equates to over 16 authentications per day, well above the average authentication rate of most staff or students.

1 MB is roughly equivalent to loading a single webpage on your smartphone.

More Information: How much data does a Duo Push request use?


How can I edit my Duo MFA settings and devices? 

For information on managing your MFA devices and settings, please visit the Duo Central - Managing Devices article.