This is also an unfortunate coincidence, as today is Georgia Tech's first day of classes, and the institution's Single Sign-On (SSO) for almost all its services, such as the Canvas LMS, registration, and the Bursar, is based on Duo's service. Right now it seems to be having some issues and is timing out / not logging in.
However, I'm not sure if GT's Duo service is self-hosted or is hooked into Duo's service "in the cloud".
Duo seems to have had lots of success, selling into higher education. To add to the other schools mentioned in this thread, Oregon State, and Stanford both use it too. And lots of schools are starting class today, which might be what contributed to their downtime.
To be honest, their useR experience is pretty slick compared to most two factor solutions. I am happy for them, (and their users) that they have been successful, selling into large organizations – good user experience usually isn’t found in large enterprise software due in part to the principal agent problem.
My duo workflow was figuring out I can request an SMS OTP and read the OTP code as a notification on my laptop instead of unlocking my phone and confirming via the app. Hopefully they get volume pricing on texts.
This kind of workflow is probably against your workplace's rules. This bypasses one of the protections meant through something like a Duo app locked behind a device password screen; which is that even if your laptop is logged in and your password manager is running, a bad actor still couldn't get into protected things if they don't know your phone passcode.
I am reading this, slacking off, because I couldn't get into Georgia Tech's Canvas. Judging by the status.gatech.edu message, it seems like changing the instance of Duo that responses is a quick fix.
I'm actually taking a course there right now, as part of my pointless masochistic love of continuing education in stuff I like knowing to be well-rounded but no one will ever give a crap about professionally, and I logged in fine. Duo's push notifications seemed to stop working, but it lets you fall back on the TOTP passcode, which continued working.
UC (Cincinnati, not California) first day of classes is today too, I always hate that out IT doesn't allow 2FA except Due. I always wanted to request an exception, but my previous experience with them refusing to allow IMAP access to my email because it is not secure!.
> Did you notice that 2FA went away around 10 am? I worked on the team that made that happen. Its back now that the outage is over.
Yes, altough I did not get affected that much. I was just trying to renew overdue book from the library system. But I'm sure ~45k student got affected harshly in their first day of the semester.
> We do have an app that lets faculty exempt students from 2FA, but it's mostly for students who need the exception when taking tests etc.
It would be better if there is an option to allow graduate students who do research (PhD candidates) to be treated differently as they are not students anyway. And Duo is annoying. I understand that this is not something that will happen specially with the reputition of UC IT department (sorry but you problably know)
> You are going to see a big change in the tech at UC very soon. The old guard is getting the boot.
This is something I have been hearing since I joined but without the old guard getting the boot part. Each year with increasing student enrollment, we can't even provide stable internet connection. I still remember two years ago the outage of the auth server for wifi system on the first day of classes (after covid) and this stayed the case for almost a week.
University of Kentucky too, first day of classes, no one can get into anything they aren't already logged in to with a valid cookie.
I spent 20 minutes trying to figure out what new cookie I needed to grey-list for the half dozen redirections in the M365 auth flow to not bork before I thought to check if it was generally broken.
This doesn’t mean GT is offline. There are a couple dozen Duo server #’s and this only affects DUO1. If GT is on DUO5 or DUO19 or DUO25 they’ll be fine today. It does raise the question of how to provide continuity of services if your server is offline though.
There are a lot more other problems that happen when each service manages their own authentication. The move to SSO has been in response to problems that existed then.
I was among the last to have to use dial-up from off-campus (which required a specialty ISP @ 26.6k or some awful speed). Fortunately, they upgraded their system while I was there, so I could use the “much” faster DSL. Still not as nice as on-campus internet.
However, I'm not sure if GT's Duo service is self-hosted or is hooked into Duo's service "in the cloud".