Spring 2012 Release
We've been keeping cool indoors during this hottest spring on record in Ann Arbor (since 1880!).
Result: Love for Duo administrators! Here's the feature round-up.
Bulk User Enrollment
While TOFU  inline self-enrollment fits the needs of most of our customers, we've received several requests to add the ability to kick off the self-enrollment process via email. Administrators can now paste a CSV of usernames and email addresses into the Bulk User Enrollment page. Duo will send unique activation links out to each user. After a user enrolls her phone using this link she will be required to use two-factor authentication upon next login to a Duo-protected service.
<img class="border" style="aligncenter size-full; display: block; margin-left: auto; margin-right: auto;"src="/assets/img/blog/2012/06/bulk_enrollment_new.png" alt="Screenshot of bulk enrollment" title="bulk_enrollment_new.png" border="0" width="700" height="450" />
End User Guide to Two-Factor Authentication
You'll notice a new link in the Bulk User Enrollment email template. It points users to our recently published Guide to Two-Factor Authentication. This guide is intended to help users understand what two-factor authentication is all about and why their organization is asking them to use it.
We welcome your feedback on this site and hope it helps educate your users.
Inactive User Expiration
Several customers have asked us if we could automatically delete a user if that user has been inactive for a configurable number of days. Yep, now you can do just that.
Non-Expiring Bypass Codes
Did your user forget his phone or token at home? Setting an expiration time is a best-practice from a security standpoint, but for convenience Duo administrators can now create bypass passcodes that never expire.
Using hardware tokens? Sometimes they get out of sync with our server if users generate and discard too many one time passcodes (OTP). Duo administrators can now resync users' hardware tokens using the Duo administrative interface.
Import Third-Party HOTP and YubiKey Tokens
We've had support for third-party tokens for some time, but importing them involved filing a support request with Duo. Now Duo administrators can handle hardware token import on their own, which should make everyone happier. Duo support team cheers
Content Security Policy Support for Firefox
Keeping up with the latest browser security advances, Duo has utilized Content Security Policy  support in Chrome for some time to help prevent Cross Site Scripting (XSS) and Clickjacking on our Duo administrative interface.
$ curl -v -A "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0" \> \ https://admin-xxxxxxxx.duosecurity.com/login?next=%2F ... < X-Content-Security-Policy: default-src 'self' < X-WebKit-CSP: default-src 'self'"
Mozilla recently made improvements to Firefox's CSP support and now the Duo administrative interface will enforce the Duo CSP for Firefox version 10 and greater.
Expanding CSP support is just one of the many ways Duo leverages the latest techniques to ensure the security of your account.
- TOFU = Trust On First Use, aka Trust Upon First Use (TUFU). In Duo context, we recommend TOFU when enrolling a user for the first time: After a user verifies her first-factor credentials (username/password) she is prompted to enroll her second factor credentials using Duo. ↩
- Read more about Content Security Policy (CSP) in the W3C CSP Working Draft, MozillaWiki, and Google Chrome Extensions docs. ↩