Skip navigation
Product & Engineering

Available Now! Passwordless Authentication Is Just a Tap Away

We are excited to announce that Duo Passwordless is now generally available across all Duo Editions. Read our announcement to get the full scoop.

In this post we’ll go over how we are enabling organizations to use Duo Mobile authenticator app for passwordless authentication using a more secure version of Duo Push.

Why we’re excited about passwordless authentication

The problem we are solving for customers is to help them to get started on their journey towards a passwordless future. We consistently hear from customers that the overhead and costs associated with getting their IT infrastructure and users ready for FIDO2 authenticators is a barrier for passwordless adoption. We also hear that administrators want to provide end-users with a back-up authentication option in case they cannot use their primary passwordless authenticator.

Duo Mobile solves this problem by providing organizations with a cost-effective solution to start their passwordless journey without compromising on security. The user enrollment process is as seamless as it can be. If the user is already using Duo Mobile for MFA, there is no need to enroll for passwordless authentication separately. When the passwordless authentication policy is enabled, the user is presented with a choice to start using Duo Mobile without passwords. No additional steps are required.

image of a successful log in

How Passwordless Authentication with Duo Mobile works

Duo Mobile for passwordless authentication is inherently multi-factor authentication (MFA). Duo Push notification for passwordless logins requires a screen unlock (biometric or PIN) of the mobile device to approve the request. In this flow, the user proves “something you are” (biometric) and “something you have” (a registered device).

Further, we have built additional security into the login workflow to bind the browser session and the device being used to access the application. This mitigates phishing attacks that leverage tactics such as MFA prompt bombing. Duo achieves this in the following ways:

  • Known device check: Once the passwordless authentication policy is enabled, the user first completes a successful multi-factor authentication from an access device, as a one-time login flow. This authorizes that specific access device to send a push notification for subsequent logins, ensuring that only known devices can send a passwordless notification.

image of a successful login
  • Duo Push for Passwordless: On the subsequent login, the user is automatically put into a passwordless login workflow and is presented with a Duo Verified Push, which also requires biometric authentication on the mobile device. This strengthens the device binding with user authentication.

image of a Duo Push
  • Trust this browser: When the authentication is complete, the user is presented with a “Trust this browser?” option. If the user chooses not to trust the browser, they will continue to receive Duo Verified Push on subsequent authentications. If the user chooses to trust the browser, a stronger binding with the access device is established and on subsequent logins, the user will then be presented with a regular push along with screen unlock. This reduces the friction for users as we have sufficiently established trust in the login flow.

Flavors of Duo Push

Duo Push is a popular method of authentication used by customers because of its ease of use. We have enhanced Duo Push to make it more secure. One evolution of our push is the Duo Verified Push which includes a number matching component. Now, Duo Push for passwordless introduces a 3rd flavor of Duo Push, which incorporates a biometric screen unlock in order to approve the request.

Duo Push

  • Requires users to tap “approve" on a registered device

  • Low user friction

  • Weak device binding

  • Susceptible to MFA prompt bombing or MFA fatigue attacks

  • We recommend using in conjunction with the Trusted Endpoints policy to create strong device binding

Duo Verified Push

  • Includes number matching

  • Increase user friction deliberately

  • More secure, creates device binding

  • Mitigates MFA prompt bombing or MFA fatigue attacks

Duo Push for Passwordless

  • Typically, Duo Verified Push with biometric authentication. Changes to Duo Push with biometric authentication when users trust the browser

  • More secure, creates device binding

  • Mitigates MFA prompt bombing or MFA fatigue attacks

Duo Mobile as passwordless authenticator is available across all Duo Editions, including Duo MFA edition. Many of our customers have already begun their passwordless journey. If you are looking to get started as well, sign-up for a free trial and reach out to our amazing representatives.

To learn more, check out the updated eBook – Passwordless: The Future of Authentication, which outlines a 5-step path to getting started with passwordless. And watch the passwordless product demo in this on-demand webinar.