Skip navigation
Man using a mobile device
Product & Engineering

Duo’s New Session Trust Solution Provides Continuous Policy

User experience and security protocols have historically been at odds. To improve security outcomes, users are forced to jump through more hoops to gain access to sensitive resources. Duo is rethinking this paradigm with the launch of Session Trust’s continuous policy.

Challenge with sessions

When a user logs in to a new application, the website sends a cookie that is stored in the browser. This enables the website to remember you. Without these cookies, users would have to re-login with every click. Imagine if you had to enter your username and password for your account every time you added a new item to your shopping cart or clicked on a new webpage.

That's why sessions are so important. However, a lot can change over the course of a session. At the beginning, session trust is high because the application can verify it’s the right user accessing the right resources. But over time, that trust might degrade as users move locations, devices become infected with malware, or new signals show that the current user is not the same one that initially logged in. Despite changing risks, access today is binary: it’s granted once at the start of a session and never re-evaluated until hours, or even days, later when the session expires.

Graph showing that the trust of a device after authentication declines over time

So how can we enable organizations to evaluate risk throughout the session and take action beyond the point of authentication? What other tools can we provide organizations beyond setting session length?

Introducing continuous policy with Session Trust

Session Trust now makes access safer by continuously evaluating device health policy over the entire lifecycle of the session. There are three parts to this new functionality — device posture heartbeats that are collected continuously, ongoing evaluation of posture against the organization’s policy and web session enforcement to terminate an incompliant session.

Flowchart showing how Risk Signals trigger Duo Policy which leads to Enforcement

Whereas device health policy was previously evaluated once at the time of login, continuous policy now leverages Duo Desktop heartbeats to evaluate posture constantly. Once a change is detected, a heartbeat is sent to Duo. If the device no longer complies with policy, the Duo browser extension revokes the session by removing the login cookie, prompting users to remediate device issues and re-establish trust.

By protecting sessions throughout their lifecycle, administrators can confidently increase session time, knowing that sessions can be revoked the moment risk levels change. End users can stay logged in longer, and administrators no longer need to face the hard choice of frustrating end users or attackers.

Graph showing how device trust declines after authentication, but climbs back up after a second authentication

Duo’s vision for Continuous Identity Security

The Session Trust continuous policy feature is an important milestone for Duo as we seek to achieve our goal of providing Continuous Identity Security for our users and organizations. We see a world where trust is neither binary nor permanent, where Duo works continuously so you don’t have to.

As we look to the future, we are working to expand the signals that Duo can collect and process—providing a more cohesive view of risk — and giving organizations more tools to better protect their users. Additionally, we are working to make Session Trust available for more application types, ensuring that every session maximizes user experience and security.

Flowchart showing how a login allows users to move to an active session, which moves to the session end, which triggers an evaluation that leads back to an active session

To learn more, sign up for a free trial of Duo or reach out to your sales rep to sign up for private preview today.