The current practice of having the DUO “remember me” feature activated for a 10-hour period of time has changed.

After much consideration and investigation, we have determined that a change to a 7-day period of time for the “remember me” feature would provide a better balance of strong information security and system usability.

The following factors were considered during the review and investigation:

• If there was a successful phishing attempt, where a hacker obtained an individual’s credentials, the hacker would also need to have physical access to the individual’s computer and know which web browser the individual used.
•  In addition, authorized users of UMB network resources are required to "Lock Down" (or log out of) the computer each time the computer is left unattended. UMB policy requires computer sessions to initiate a password protected screensaver after a period of no more than thirty (30) minutes of inactivity; and mobile devices are required to have security passcodes activated.
•  Furthermore, if malware was inadvertently downloaded on a computer as part of a phishing attempt, UMB security measures of application whitelisting would render the malware inoperable.
•  Lastly, additional security measures will be introduced that further strengthen information security, making it more difficult for an unauthorized user to gain access to a computer system using stolen credentials, even with the longer time allowed between DUO authentications