What’s the Deal with Duo?

By Zachary Barry

Continuing my series of opinion pieces about Mines changing technology that makes me feel like a boomer shouting, “get off my lawn” at the IT department, today I am writing/ranting about Duo. For the article I wrote on Labby, I included a brief description of what Labby was for readers who may not have been familiar with it for one reason or another, but Duo needs no such introduction. I know several people who receive more calls from Duo in one day than they receive calls from their friends, family, and significant other in one week. This makes sense when you consider that if you sit down to log in to a campus computer, open Microsoft teams (who are next up on my list, consider yourself warned), access canvas, and open a paper that you accessed with your Mines login credentials you’ll have to authenticate your login 4 times with Duo in only 5 minutes.

         Don’t get me wrong, I understand that in this day and age cybersecurity is becoming more and more important (I’m not actually a Boomer), but I have a few complaints that I think are perfectly valid, and I think most of you would agree. First, the list of logins for which Duo is and isn’t required doesn’t make the most sense to me. In the example of how many times you might have to log in to Duo to work on a group project, how many of those authentications really seem necessary? Since a lot of information is stored on the Microsoft suite of products and local computer accounts, those two make sense to require dual authentication. The other two, not so much. What is a hacker doing to do if they log into my canvas? Submit their own crappy lab report? See that I got a C in O-Chem and feel bad for me? (That one wasn’t my joke, thanks to the sad Chem-Es of Alderson for sharing that one with me). I can understand the logic behind Duo on canvas, protecting your grades, preventing cheating, and protecting other students’ personal information. What I don’t get is; why anyone would hack into Springer Link with my username and password to view Performance characteristics of novel mechanical foam breakers in a stirred tank reactor?

         Okay, we are up to 4 sign-ins that require Duo, and if I squint, the majority of them have a good reason to be included. Now imagine that your group project isn’t going so well, and you are curious what would happen to your GPA if you got a C in the class, so you pull up trailhead to check your current GPA. You’re shocked by what you find, no not that your GPA has magically increased by a whole point (I wish), but by the fact that you didn’t have to use Duo to sign in to Trailhead. Your medical records, personal identification information, your bank account information are all less important to protect than your ability to access the Journal of Chemical Technology & Biotechnology. How could someone overlook this? Apparently, this wasn’t overlooked entirely, since when you visit the Mines ITS site about Duo it says, “Starting in Spring 2021, some applications such as Trailhead, Ex Libris, and remote access will require validation.” Both Ex Libris and remote access do require Duo, so why not Trailhead? I’m not sure. Maybe the platform used for trailhead and Duo are incompatible, but whatever the case many students, myself included, wonder, what’s the point of having Duo if it doesn’t protect what is most important?

         My second complaint is that the number of sign-ins required when working from a single device is much too high. Other schools, such as CSU, allow you to set up ‘favorite devices’ which require a reduced number of dual authentications on that device. On an average day, I end up using Duo about six times just to sign in to apps on my personal computer. If I was able to reduce that number by even a couple of sign-ins a day, such as when I go from Canvas in one tab to Microsoft suite in another, it would go a long way to help me feel less enraged when I see Duo pop up on my phone. Favorited personal devices also do not do anything about the number of times that you are required to sign in to access applications on a school computer, an account you can only access if you have signed in with Duo. From a safety class, I’m taking this year, I have learned about the ‘Swiss cheese’ method of protection, in which one layer of protection can’t possibly prevent all possible negative outcomes. The redundancy of Duo seems to align closely with this philosophy, but there are only so many pieces of cheese you can put on a sandwich before someone chokes on it, and I feel Duo is getting pretty close to that limit.