Today, the Information Security Office will extend the default “remember me” period for Duo 2-Step Verification from 12 hours to seven days.
This extension means that most users will verify their identities less often when they log into systems that require Duo at UNC-Chapel Hill. This provides a more convenient — yet still secure — experience.
All about Duo’s ‘remember me’
Even if you’re familiar with Duo, you may not know exactly how “remember me” works. Here’s how extending the period from 12 hours to seven days will simplify logins.
When you log into Duo from a new device or browser, you first verify your identity. Then, you see a pop-up asking if this is your device. If you choose yes, Duo uses a browser cookie to “remember” that device. This cookie tells your browser to skip requiring 2-Step for the duration of the “remember me” period.
When that cookie expires, the next time you visit a UNC service that requires Duo, you’ll be prompted to verify your identity. Since you previously selected that this was your device, the prompt will have a small “remember me’” checkbox. This box will be checked by default and renews your browser cookie.
In short, when the device is “remembered,” you won’t have to verify your identity as often — so don’t choose “this is my device” if it’s not yours or it’s one you share.
Note that while UNC is extending the default “remember me” period to seven days, applications may require login more frequently based on the application’s timeout window. And because “remember me” depends on a browser cookie, you may need to 2-Step again if you clear your cookies, use a private browsing window or switch browsers.
Change is data driven
Extending the “remember me” period for Duo is one way that UNC is making it easier for the Carolina community to be secure. Historically, adding security has meant more hoops to jump through. The Information Security Office hopes to change that.
“We care about user experience and actively consider it in the security program,” said Paul Rivers, Chief Information Security Officer. “We are data driven. We can expand the use of 2-Step while offsetting some of the impact.” More services using 2-Step, he said, is a “massive net gain” for security at UNC.
Making security easier is also the main goal of Carolina Key, UNC’s passwordless login. Carolina Key replaces both a password and 2-Step Verification with strong device-based authentication called a passkey.
Passkeys are cryptographic tokens you store on devices like smartphones, smartwatches, laptops and tablets. Using either a PIN, physical security key, or the built-in biometric sensors on your device, like facial recognition or fingerprint scanning, you quickly unlock and send your passkey to the requesting site.
Because Carolina Key is so secure, it replaces both your password and Duo 2-Step Verification when used with most systems at UNC that use Single Sign-On (SSO). Carolina Key allows you to skip both your password and Duo in favor of a fingerprint, PIN or facial recognition for convenience and secure logins.
Registering your device with Carolina Key is quick and easy. If you want to learn more, visit 3 reasons to go passwordless with Carolina Key.
