Device Trust without cookies: advancing passwordless with Duo Push
Going passwordless is one of the most impactful steps an organization can take to reduce phishing risk and simplify the authentication experience. We’ve seen broad customer adoption of Duo Push for passwordless thanks to its familiar user experience, and we’re committed to continuously improving that experience.
Today, we’re introducing enhancements to Duo Passwordless Push for Duo SSO apps that address limitations of the browser cookie-based approach used to establish device trust. Previously, switching browsers, setting up a new laptop, or simply clearing cookies could force users back to a password. That friction makes achieving true passwordless more difficult.
By integrating Duo Desktop into the passwordless workflow and adding Bluetooth proximity verification, we’ve made Duo Passwordless Push more resilient, more consistent, and ready for organizations that want to go all in without compromise.
The limitations of browser cookies as a trust signal
Duo Passwordless Push works by verifying that a user's browser is recognized before allowing access. Until now, that trust relied on a browser cookie. Cookies work in many use cases, but they come with limitations that surface in everyday scenarios.
For example, when logging in from an embedded browser where cookies don’t persist, Duo Passwordless Push becomes an unviable method and requires users to log in with another method; usually, that means passwords and two-factor authentication (2FA). For teams that have disabled password fallback to fully commit to passwordless, this can stop a user's day in its tracks.
Clearing cookies also means starting over. IT policies, browser updates, or users tidying up their settings can all wipe cookies.
Furthermore, when users get new laptops, no pre-existing trust signals like cookies exist to allow passwordless push. Users must either re-enroll or authenticate again on that device first to obtain a cookie before passwordless push is available to use. These limitations make achieving true passwordless challenging.
What’s new from Duo
Persistent Device Trust across browsers with Duo Desktop
With Duo Desktop registered on an endpoint, device trust is now stored server-side and tied to the device itself instead of a single browser. When a user marks a browser as known during authentication, that trust decision is associated with the endpoint through Duo Desktop. The next time they sign in, even from a different browser, Duo Desktop identifies the device and the trusted status carries over automatically.
Cookies are still supported as an optional fallback for scenarios where Duo Desktop is not running. This ensures a smooth rollout with no disruption.
In practice, this means users no longer lose device trust. Switching browsers, clearing cookies, or resetting profiles no longer sends them back to square one.
Bluetooth Proximity Verification for new endpoints
To address the new laptop problem, we’ve introduced a highly secure way to establish device trust. When a user signs in from an unrecognized endpoint, they’re prompted to enter a Duo Mobile one-time-passcode (OTP), followed by Bluetooth proximity verification. This confirms that their registered mobile device is physically nearby before completing the passwordless push.
This layered approach prevents common attacks such as push harassment and remote phishing. There’s no password, no fallback factor, and no manual Bluetooth device pairing. Duo Desktop and Duo Mobile handle the Bluetooth handshake seamlessly in the background while the user simply approves the push. The result is a clean, secure path to truly passwordless onboarding.
Granular controls for high-security environments
Administrators get two new policy options to tailor the authentication experience based on their risk tolerance:
First, you can choose whether Bluetooth proximity verification is required only on unrecognized endpoints (the default) or required on every passwordless login for a stricter posture in more critical environments.
Second, you can disable browser cookies as a trust signal. With Duo Desktop handling trust at the endpoint level, cookies are no longer necessary. Removing them from the equation means a stolen or replayed cookie can never be used to satisfy the device trust check for a passwordless push. This hardens your passwordless deployment against cookie theft without impacting user experience, since Duo Desktop handles device recognition seamlessly.
Duo Passwordless Push Just Works Everywhere
Passwordless authentication should simply work. It should feel natural to users, dependable across devices, and strong enough to meet modern security standards.
Duo Passwordless Push delivers that experience. Trust stays anchored to the device, creating consistency across browsers and sessions. New endpoints can establish trust quickly and securely from day one. At the same time, administrators gain granular controls to shape the experience according to their security requirements.
These enhancements make Duo Passwordless Push a robust, scalable foundation for organizations ready to embrace a true passwordless future.
To get started, visit our Passwordless Quick Start Guide and documentation.
Interested in learning more about how Duo helps defend against modern phishing attacks? Get the free guide to Building End-to-end Phishing Resistance or try it for yourself with a free trial of Duo IAM and Passwordless today.
Frequently asked questions about Duo Passwordless Push
What is Duo Passwordless Push?
Duo Passwordless Push allows users to authenticate without entering a password by verifying their identity through a push notification to the Duo Mobile app. It combines device trust verification with user approval to provide a secure, phishing-resistant login experience for applications protected by Duo Single Sign-On (SSO).
What about Passwordless Windows Logon?
The passwordless capabilities discussed in this post apply to web-based applications protected by Duo Single Sign-On (SSO), where users authenticate through a browser. Duo also offers Passwordless OS Logon feature for Windows, which eliminates passwords at the Windows desktop login screen itself. To learn more about Passwordless Windows Logon, visit here.
How does Duo Desktop improve passwordless device trust?
Duo Desktop stores device trust server-side and ties it to the endpoint rather than relying on a browser cookie. This means trust persists across browsers, survives cookie clearing, and carries over automatically when users switch between browsers on the same device.
How do I establish passwordless trust on a new laptop?
When a user signs in from an unrecognized endpoint, Duo prompts them to enter a Duo Mobile one-time passcode followed by Bluetooth proximity verification. This confirms that the user's registered mobile device is physically nearby, establishing device trust securely without requiring a password.
What is Bluetooth proximity verification in Duo?
Bluetooth proximity verification is a security feature that confirms a user's registered Duo Mobile device is physically near the endpoint during authentication. Duo Desktop and Duo Mobile handle the Bluetooth handshake automatically in the background, requiring no manual device pairing from the user.
Can I disable browser cookies for Duo Passwordless Push?
Yes, administrators can disable browser cookies as a trust signal through Duo policy controls. With Duo Desktop handling device trust at the endpoint level, cookies are no longer necessary. Disabling cookies prevents stolen or replayed cookies from satisfying the device trust check for passwordless push.
What is the difference between cookie-based and device-based trust in Duo?
Cookie-based trust relies on a browser cookie to recognize a device, which means trust is lost when cookies are cleared, browsers are switched, or a new device is used. Device-based trust through Duo Desktop ties recognition to the endpoint itself and stores it server-side. This approach provides consistent trust across browsers and sessions without depending on cookies.