Trust and Verify: Trusted Devices & Trusted Networks Controls Make Duo Even Easier For You
We have a mantra at Duo -- The less your users see of us, the better.
That is, we strive to provide strong and usable authentication for your users that maintains a seamless and non-disruptive login experience. We recently introduced two new features in our platform that give you finer-grained control over when your users are prompted for two-factor authentication.
New Trusted Devices Feature Adds Ease of Login for Web-Based Integrations
The first feature is what we call "trusted devices". Your users may recognize the functionality commonly applied to primary authentication in web applications as "remember my computer" or "keep me logged in". The feature allows a user's computer to be considered trusted after initially authenticating, therefore not challenging them for secondary authentication upon subsequent logins from the same device to the same application for a set period of time.In the Duo administrative interface, an administrator can enable the "trusted devices" support on a per-integration basis. Users will then see a checkbox in their login screen that will allow them to opt-in to remembering their device. If a user completes Duo authentication and selects that checkbox, they will not be prompted for two-factor again for the preset number of days when logging in from the same browser/device.
This feature is currently supported in all our web-based integrations (eg. SSL VPNs, Outlook Web Access, Shibboleth, WordPress, etc).
New Trusted Networks Control Streamlines Login for People in the Office
Similarly, your organization may have policies in place that mandate strong authentication only for untrusted, Internet-originated access to company services. For example, you may want to enforce two-factor on your VPN endpoint for remote employees, while allowing local employees plugged in via an 802.1x-authenticated wired port to access internal resources without a two-factor challenge.For this use case, a Duo administrator can now specify "trusted networks" by IP addresses or CIDR blocks. If a user originates from one of the defined trusted networks, they will not be prompted for Duo's two-factor authentication.
Keep your eyes open for more login controls and policies in the coming months!