As a previous student and current Researcher at university of Cincinnati, I have to keep using whatever the university decide require for accessing my university account. This includes all internal services and most importantly my email. They are using Microsoft Exchange for email and Duo for 2FA. They disable IMAP and POP3 access to the email account. This is another issue I have with the university, but that is not the focus of this post. The issue I want to address is the 2FA policy.

University requires the usage of Duo for 2FA. Duo is a paid service and it is not free. It is proprietary and is not open source. University make us under the mercy of a company that does not have a good track record. Recently CERN completed the transition to require 2FA for all systems. This includes ssh access to lxplus nodes.

But for all the complaints and issues, CERN is not forcing us to use proprietary and closed source 2FA service. They use open standard, and you can use all kind of 2FA apps. I personally like Bitwarden Authenticator. It is open source, free for usage and available on all platforms. I can export my keys and move to another app if I want to. I can even have a proper backup in case I lost my phone. I don't rely on Duo cloud for backup. I have burnt by my experience when I bought a new phone.

Now UC decided to phase out Duo support for verification using SMS and phone call. While this is a good move from security perspective, it is not a good move from user experience perspective. If you lose you phone, you will not be able to access your account. There is no way around that after this phase period on Jan 26, 2026. You have to open a ticket somehow and then try to get someone to help. I don't know how they expect me to do that. Not to mention that I might need immediate access to my account. I have to wait for a ticket to be opened and then wait for someone to help me.

But the worst thing is that you probably will need to go to campus to get help. I don't know how they expect me to do that. If this happens while you are based abroad, you will be in a big trouble. You will not be able to access your account. And worse, you will not be able even to open a ticket to get help. You cannot just go to IT office to get help.

The policy is not consistent and is short-sighted. While the security aspect is good, the user experience is not. And the reliance on Duo service and not allowing people to use open standard is not a good move. Instead, the policy should allow people to use open standard and allow people to use any 2FA app they want. But I doubt that will happen. This is the same university which partnered with LastPass as password manager after it various security scandals.