Universal Prompt Spotlight: Policy for the Self-Service Portal!
As organizations continue to experience the ever-present tension that exists between ease of use and security, Duo continues in our commitment to solve for both. With Duo’s most recent release, we’ve added features that offer a significant amount of value to the Self-Service Portal! We’re excited to showcase these to you and share how this functionality might fit into your environment.
What is the Self-Service Portal?
Before we get to the exciting new features, we wanted to review the Self-Service Portal (SSP) itself. The SSP is an integral part of Duo’s Universal Prompt and can be enabled to provide users with a way to add, remove, or manage their authentication devices in an easy and secure manner. This can all be done by an end-user without having to contact your organization’s helpdesk. Have a look below to see how easy it is:
One of the challenges with managing modern authentication is allowing end users to manage devices securely at scale. Many organizations today have manual processes that require a lot of time and investment to maintain, as well as creating a lot of friction for end users.
Duo has heard you - and we're excited to share that we are improving the security of our self-service portal to make it even easier for you to deploy self-service at scale in your organization.
Up until now, policy for access into the Universal Prompt’s SSP (also known as “Manage Devices” inside the prompt) was determined by the application you were trying to access when viewing the prompt. For example, if you were accessing Office 365 through DuoSSO, the policy requirements to access the SSP were that of the Office 365 application in your Duo Admin Panel. Based on our research, we know that there are scenarios where an administrator may want to apply a stricter policy to the SSP than a protected application.
What the self-service policy looks like in practice
As an example, your organization may be making use of our Risk-Based Factor Selection policy for normal application logins. This policy reduces friction for end-users in authentications detected as low risk, but for access to the SSP you will likely always want to use a phishing-resistant method such as Verified Push, TouchID, or a Webauthn Security Key. The dedicated policy for SSP makes this a reality by allowing a separate policy to be applied just to self-service within the same prompt.
In addition to “manage devices” from within the Universal Prompt, policies administrators have assigned here will also apply to SSP access into Device Management within Duo Central and the dedicated device management URL for Duo Central. Other policy requirements can also be applied here and can be applied at the Group or Application level just like any other protected application. See below for an example of a recommended policy applied to the SSP. This one allows only phishing-resistant authentication methods:
Alongside dedicated policy, logging is a critical component in confidently offering self-service to end-users. When SSP policy is enabled, all authentications into the above-mentioned self-service workflows will now be centrally logged. With this improvement, you’ll be able to distinguish between application authentications and SSP authentications. This provides organizations with an additional layer of visibility to better audit, track, and investigate.
Empower your users
You can start customizing how users access the Self-Service Portal through Universal Prompt today! You’ll be empowering them to manage their authentication methods while optimizing their time using an efficient workflow. It not only improves their satisfaction, but it also reduces time spent with the help desk thus reducing your total cost of ownership, not to mention strengthening your security posture.