Skip navigation
Product & Engineering

Getting Back to Work Just Got Easier: Introducing Expired Password Resets with Duo Single Sign-On

One of our core tenets at Duo is to help organizations provide workforce users with a seamless authentication experience while reducing the administrative burden on IT and helpdesk teams. We continue to enhance our secure access capabilities while centering an easy, effective user experience. 

Active Directory is the most popular authentication source connected to Duo Single Sign-On (SSO), accounting for almost 80% of all Duo SSO setups. Today, we’re excited to announce a new feature that will make that setup even better: expired password resets!

Let’s take a step back and look at how applications, of all sorts, have handled authentication for as long as we can remember. Most commonly, these applications communicate directly with Active Directory over Lightweight Directory Access Protocol (LDAP). With that authentication flow in place, and with a handful of Microsoft prerequisites, many applications added the ability for users to reset their expired password through the site or client so that users could access their application without needing to take up crucial helpdesk time. 

Over time, customers are increasingly moving toward a federated authentication workflow where their applications no longer communicate directly to Active Directory and instead communicate to a third-party identity provider. This often means that all of the benefits of native in-line password reset is lost and that users are often blocked. With our new Expired Password Resets feature in Duo SSO, we want to provide the easiest experience for users and let them quickly reset their expired password, log into their application, and get on with their day.

In the 90 days leading up to this release, more than 60,000 users have been blocked due to expired passwords among customers running updated versions of our Duo Authentication Proxy. 

Expired password resets with Duo SSO allow users to reset their expired Active Directory passwords while authenticating through Duo SSO. After a user attempts to log into Duo SSO, they’ll be informed that their password has expired and may change their password after completing multi-factor authentication (MFA).

Once the user successfully completes MFA they’ll be prompted with a page similar to this, which will show them your Active Directory password requirements:

They’ll be asked to type in their currently Active Directory password, followed by a new password that would be typed in twice.

To use Expired Password Resets for Duo SSO, make sure that the following settings are set for your SSO Active Directory Authentication Source: 

  • Must be using LDAPS or STARTTLS

  • Cannot be using the Global Catalog

  • Must be running Duo Authentication Proxy version 5.5.0 or higher

That’s it! If you already meet the requirements above, you’re one radio button away from giving your users a more streamlined authentication experience!

Learn about Duo SSO Active Directory Expired Password Resets, and read the guides for Duo SSO and Expired Password Resets that can be shared with your users.

Try Duo For Free

With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.