Breaking Up With The iFrame: Introducing Our New Developer Tooling
Dear iFrame,
It’s hard to say this, but we need to break up.
It’s not you. It’s us. (Well, it is sort of you.)
We've been through a lot together. When Duo first launched our industry-transforming authentication prompt, you delivered secure end-user authentication to applications at companies big and small. You helped keep our customers safe! You weren't obtrusive. Most of the time, you just worked.
But things have changed.
Recently, we announced our Universal Prompt Project, a major technical and UX redesign of core Duo functionality, focusing on our authentication prompt.
This project isn't just a superficial change — though our new Universal Prompt is beautiful. The underlying technology required to deliver the new authentication experience needs to be reworked. And reworked without you.
All that being said, we can’t quit you outright. The current prompt will remain available and fully supported as we build out the new authentication experience, but we are heading for the door.
We see a future where iFrames lose browser support because you’re commonly affiliated with advertising. And to be frank, we also see that modern authentication standards like U2F and WebAuthn look at you skeptically — if they’ll allow you to call them at all.
Finally, your inconsistency when it comes to third-party cookie support across browsers makes it difficult to build reliable functionality with you.
So now that we’re breaking up, where are we headed next?
To start, we’re launching new Developer Tooling to enable an authentication flow without the iFrame. It may seem harsh, but it’s for the best. There are benefits for our customers and technology partners that come with this breakup.
For example, we’ve decided to adopt a new URL redirect flow that’s built on OIDC. By moving to a redirect model where Duo hosts the interim URL, the new tooling strengthens hostname security. As a note, OIDC is often associated with primary authentication, it’s also a suitable and effective way to deliver MFA. We’ll be expanding on why we chose OIDC in an upcoming post.
The new authentication flow provides out-of-the box benefits
For one, leveraging the new authentication flow allows partners to glean more contextual authentication information from Duo during the MFA process. While traditionally, applications were only provided whether the MFA check was successful or not, with the new tooling, we are providing additional contextual authentication data at time of access including attributes about the access and MFA device.
Additionally, the new tooling includes a dedicated Duo service check so that any partner can check the availability of the Duo service before delivering second-factor authentication to an end user. While the Duo service is incredibly reliable, in cases where the service is unavailable, app developers can now choose how to react — perhaps failing open or failing closed depending on the circumstance.
Finally, to come full circle, the new tooling enables our new Universal Prompt experience, which will be available only to integrations using these new tools. Enabling the Universal Prompt will provide a smoother, simpler, more secure authentication experience for all users — a prospect worth considering.
Introducing OIDC and WebSDK
Thus, today we are announcing two new pieces of functionality for developers that will enable customers and partners to add strong two-factor authentication to applications.
The OIDC standards-based Authentication API will allow customers and partners to build MFA support into their applications. Customers and partners with applications that support OIDC can directly utilize the API to implement two-factor authentication.
The WebSDK 4 Client Libraries make development as easy and simple as possible. Duo has developed open-source clients to make handling the OAuth authentication for you. This is the Duo-preferred way to implement two-factor authentication support for your application. Duo currently has Python and Java Clients available.
The WebSDK 4.0 and OIDC standards-based Auth API are now in public preview and we recommend customers to try it out and begin migrating your applications. Please send any feedback to: duo-frameless-integrations-beta@cisco.com
If you would like to request support for other programming languages, please contact support to submit a feature request at support@duosecurity.com. We are adding support for additional languages based on customer requests.
And remember oh sweet, sweet iFrame, we’ll always care about you.
Try Duo For Free
With our free 30-day trial you can see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.