Changes to BuckeyePass/Duo on Sept. 20

Smartphone with green Duo logo on the screen

BuckeyePass, powered by Duo Security, is Ohio State’s method of multi-factor authentication, assisting in keeping our systems safe and helping us stay ahead of security threats. Starting September 20, faculty, staff and students will see the new Duo Universal interface when accessing university systems. Users do not need to update their app or take any action before this change.

What is Changing?

Duo Universal offers enhanced security measures and accessibility improvements. The update will speed up the authentication process for many users by remembering the previous authentication method used and defaulting to that method for future logins. For example, if your most recently used authentication method is a Duo Push, a Push notification will be sent automatically. Other changes include:

  • “Remember me” checkbox will be replaced by “Yes, Trust Browser” button that appears after authenticating.
    • Remember, users should only choose to trust a browser on their personal device(s).
  • SMS passcodes will no longer be sent out in batches of ten; users will only receive one SMS passcode at a time.
    • This change to SMS is being enforced by Duo. Using the “Trust Browser” feature on a user’s first authentication log in of the day will allow the user to bypass the need for another passcode for 24 hours.
  • All authentication options and devices you have configured for your account will be able to be displayed without having to log into the “Register and Manage Devices” page within the BuckeyePass website.

Current Duo Prompt

Current Duo authentication screen

New Duo Universal Prompt

Duo Universal authentication screen Duo Universal authentication options and devices for your account screen

Current “Remember Me” Option (appears before authentication)

Current Duo authentication screen with remember me checkbox circled

Updated “Yes, Trust Browser” Option (appears after authentication)

Duo Universal trust browser option screen Note: The first time a user authenticates from a specific browser (and each time if they don’t select trust browser) the user will see the “Yes, Trust Browser” page. On the next authentication after “trust browser” expires (i.e., the next day) one of two things will happen:

  1. If the user previously selected Duo Push, text message, or passcode for authentication, they will see a “trust browser” check box pre-selected when authenticating (see photo below). Users will not be sent to the secondary pop-up with the “Yes, Trust Browser” option.
  2. Duo Universal authentication screen with trust browser checkbox selectedIf the user previously selected an authentication method like Touch ID or a security key, they won't see the trust browser check box option selected on the page. If the user does not want to trust that browser again, they will need to cancel the Duo authentication in progress. This will send the user back to the page where they can choose an authentication method. At this point, users can uncheck the trust browser box and then try to log in again.