27
March
2025
“It’s Like Whack-A-Mole”: Learning How Yale Fixed its Phishing Problem (and How Your Organization Can Too)
By Kenneth Lewis - Communications Specialist
Estimated reading time: 3 minutes
A 2025 Internet2 Community Exchange Sneak Peek
You have likely faced multiple attempts to phish your institutional data. Even as higher education and research (R&E) institutions implement multifactor authentication (MFA) solutions to barricade against phishing attempts, the attempts are becoming more sophisticated and, ultimately, successful.
Such was the case with Yale University (opens in a new window), which experienced a sudden uptick in account compromises even after deploying Duo’s multifactor authentication solution campus-wide. Bad actors convinced some of Yale’s users to provide their SMS-based MFA codes, presenting themselves as university staff. But Yale fixed that problem.
However, after disabling SMS as an MFA option, adversaries tried again, convincing users to approve Duo Push requests.
After that attempt, there was yet another.
“It’s like whack-a-mole,” said Jeremy Rosenberg, chief information security officer at Yale University.
Rosenberg and John Gasper, an IAM architect at Yale University, lead the session “A More Secure Yale: A Passkey and Duo Desktop Story” at the 2025 Internet2 Community Exchange (opens in a new window), where the pair will share their journey with implementing passkey and security solutions at scale.
“The stakes are high for staying ahead of adversaries as their phishing and account takeover techniques keep getting better over time,” said Gasper.
But the Yale team’s solution was not inaction. Instead, they decided on a holistic approach, adopting the requirement that risk-sensitive users use FIDO2 passkey for MFA and only log in on computers where Duo Desktop was installed and signaled that the computer was secure.
There were implications and questions, such as “How do we get employee buy-in?” or “What happens if the plan doesn’t work?” Both solutions were challenging to implement because they required the team to think about the whole institution, Duo MFA’s rollout, and past successes of Yale’s recent attempts to rectify the situation.
“People literally had to adopt new daily workflows,” said Gasper.
However, with proper staff and campus-wide training, the team employed a successful strategy that turned its phishing problem around.
“The technology we’re rolling out is not novel,” says Gasper. “…but arguably necessary.”
Learn How to Fix Similar Problems at Your University
Listen to the Yale team provide an overview of passkey and device posture-checking technology. Gain insights on the technical set-up, policy, and employee considerations of requiring passkey MFA and implementing Duo desktop-based enforcement.
Hear specific challenges, lessons learned, and best practices employed during this time of constant phishing and attacks at Yale among its high-risk users.
You will leave the session understanding how Yale University’s work is transferable to your institution and how to protect your users from account compromise, lost/stolen devices, and malware.
Learn how to avoid pitfalls and increase employee buy-in from even the most risk-sensitive employees.
“A More Secure Yale: A Passkey and Duo Desktop Story” takes place on Wednesday, April 30, from 11:00 to 11:50 a.m. PT at the 2025 Internet2 Community Exchange.
Check out this session and other related presentations in the Security Concerns, Collaborations, and Solutions Track, which highlights data, network, and identity-related security concerns for the global R&E environment, at the 2025 Internet2 Community Exchange held April 28-May 1 in Anaheim, Calif.
Visit the CommEX25 website (opens in a new window) to learn more about the event and register, and be sure to check out our “Shaping an Unmissable CommEX25” series for insight from the leaders behind this year’s program (opens in a new window).