Skip navigation
Duo Blog
Admin Login

Categories & Archive

Product & Engineering
Matthew Brooks

Duo’s MacLogon Release Enhances MacOS Security With Offline and M1 Support

MacOS is a popular computer operating system used on Apple computers. Like any personal computing device, it requires local authentication to login. Apple provides username and password login for primary authentication and Cisco Duo provides secondary factors to strengthen the macOS security authentication process. Now Duo has extended support for secondary authentication when the macOS endpoint is offline and added support for the popular M1 line of macOS hardware.

MacOS and MFA

MacOS is the second most used desktop/laptop operating system at ~15% of the worldwide market and it is estimated to have as much as 30% share among developers. Among other benefits Mac enthusiasts communities, such as at universities, often claim it provides a better user interface and with a closed ecosystem has less security vulnerabilities. Those communities look to vendors like Duo to provide multi-factor authentication (MFA) to mitigate the risk of bad actors breaching their macOS security systems.

Prior Duo support for MacOS

Until now Duo could be implemented in macOS environments easily, like most Duo products – we are good at both admin and user experience! Admins push a plugin to macOS user endpoints that have keys and a hostname needed to securely connect to Duo Cloud. Within the cloud console admins could create a variety of granular policies to manage authentication according to their security strategy.

Screengrab of the Duo-MacOS integration window

New Duo support for MacOS

Duo can still be implemented with macOS security in the same way to provide secondary authentication, but now admins have the option of allowing offline access including specific constraints around its use like how many login attempts are allowed until a user is back online. So, now when users are traveling, at a remote location without Wi-Fi, or just taking a break from social media they can still login to their macOS endpoint with Duo providing second factor authentication.

Screenshot showing the Mac offline login settings window

How it works online

After admins go through the Duo installation process on macOS endpoints they have a Plugin running with hooks into the local authentication process. Then after the macOS security process validates a local username and password it prompts Duo to perform secondary authentication for that username.

The user may be assigned a specific method like Push or be allowed to select a method. Once they proceed with a method, Duo validates the user and confirms or denies them access to the macOS endpoint.

Graphic showing the process for authentication when a device is online

How it works offline

When macOS users are offline the initial process is similar, but once the Duo authentication process recognizes it cannot reach Duo Cloud it initiates offline login. The first login it offers the user is the option to enroll in offline login.

The user will be asked to select a:

  • Duo Mobile Passcode - A 6-digit numeric string is provided in the Duo mobile app for the user to enter in order to validate secondary authentication on the macOS device

Duo admins are given other configuration options to manage the offline authentication experience, such as the maximum offline login attempts allowed.

Once Duo re-establishes communication with Duo Cloud it uploads details of offline activity to populate corresponding logs, dashboards, and reports. It also reestablishes the online secondary authentication requirement moving forward.

Graphic showcasing the offline authentication process which is: 1) User submits username and password. 2) MacOS validates user and sends secondary factor request to the Duo process. 3) Duo notes the endpoint is offline. 4) Duo authenticates the user with mobile passcode and monitors for online validation. 5) User is logged in.

Duo support for Apple M1 series

Whether using online or offline login Duo has also added support for M1 Macs. Duo Mac Logon 2.0 will support the M1 chipset. Apple M1 System on a Chip (SoC), is a new chipset that is replacing Intel processors in 13-inch MacBooks and the Mac Mini. According to Apple, M1 is the best performing chipset on the market. To compliment that great performance Duo supports secondary authentication to provide top notch identity validation with a great user experience!

Apple M1 logo

Summary

Cisco Duo is a cornerstone for multi-factor authentication in the security industry. Duo supports leading authentication methods including verified Push, OTP (One Time Password) Hardware Token, Duo Mobile, and SMS Passcodes. At the same time macOS users and admins delight in the easiness of the experience.

Now Duo’s macOS security offline login functionality extends that great MFA protection to users when they are traveling. Admins can rest assured that once users are back online, their access details are seamlessly synchronized with Duo cloud.

Try Duo for free!

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.