Skip navigation
Documentation

Guide to Duo’s Federal Editions

Last Updated: November 20th, 2019

Contents

Welcome to Duo Security’s Federal Guide to Duo’s FedRAMP Authorized Federal Editions. All Federal Edition product differences outlined within this guide were completed to ensure product alignment with FedRAMP/NIST 800-53 security controls, NIST’s Digital Identity Guidelines (SP 800-63-3), and FIPS 140-2 compliance requirements for Duo’s US Federal/Public Sector customers. Learn more about Duo’s Federal Editions.

Duo’s FedRAMP Package for Duo’s Federal Editions

If you’re a US Federal Agency and you need to access Duo’s FedRAMP Authorization Package please leverage OMB’s MAX Portal or contact your Duo Federal Account Executive.

Starting a Trial of Duo's Federal Editions

To sign-up for Duo’s federal editions, please fill out the contact form on Duo's Federal Editions page. Once submitted, Duo will reach out to qualify and confirm eligibility to ensure customers are federal agencies, federal contractors, public sector entities, or Cloud Service Providers (CSPs) pursuing FedRAMP.

Connectivity Requirements

Duo’s integrations communicate with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo KB article 1337 for additional information.

Many of Duo’s applications support the use of an HTTP proxy to provide connectivity to Duo. Check the documentation or FAQs for the Duo applications you will be deploying to determine if they support HTTP proxy.

Comparing Duo Federal Editions with Duo's Standard Editions

Duo's federal and standard editions use the same core components and are administered in the same way, via the Duo Admin Panel. Most administration and deployment tasks in Duo federal editions use the same published instructions available at /docs.

This document describes how Duo's federal editions differ from Duo’s standard editions.

Available Editions

Duo offers Federal MFA and Federal Access subscription plans. Duo Beyond edition's featured components like Trusted Endpoints or Duo Network Gateway are not available in the federal editions.

Token Restrictions

Duo federal editions customers may not purchase Duo-provisioned D-100 tokens from Duo for authentication needs. Customers must purchase your own third-party tokens and import them into Duo.

FIPS Enforcement in Duo Mobile

Duo Push and Duo Mobile passcode authentication methods on iOS 6 and later and on Android (as of Duo Mobile version 3.25.0) are FIPS 140-2 compliant by default with no configuration required by administrators. Learn more about Duo Mobile FIPS support in Duo’s Knowledge Base.

Phishing

Duo's federal editions do not include the Phishing feature.

Identity Proofing

Duo's federal editions do not include the Identity Proofing feature.

Duo Authentication Proxy

The Duo Authentication Proxy is an application you install on your network. It’s used for Active Directory and OpenLDAP sync of your users into Duo, and for RADIUS and LDAP two-factor authentication for your on-premises VPNs, services, and applications.

The Duo Authentication Proxy is FIPS-compliant when it is installed on a Windows or Linux system with FIPS enabled at the operating system level, and you enable the FIPS option in the Duo proxy configuration file. LDAPS is the only FIPS-compliant authentication method.

Duo Authentication Proxy End-to-End FIPS Diagram

See the documentation to learn more about deploying the Duo Authentication Proxy in FIPS mode.

Duo Unix

Duo Unix is FIPS-compliant when run on a Unix or Linux system with the operating system-wide FIPS mode enabled.

Duo Unix End-to-End FIPS Diagram

See the documentation to learn more about Duo Unix in FIPS mode.

Cisco and Juniper/Pulse LDAPS Applications

Duo's federal editions do not include the direct LDAPS integrations for Cisco ASA or Juniper/Pulse Secure SSL VPNs. Customers who wish to protect these VPNs can do so with the Cisco ASA RADIUS and Juniper SA RADIUS or Pulse Secure RADIUS configurations, which require local installation of the Duo Authentication Proxy. Note that the Duo Authentication Proxy is only FIPS-compliant for LDAPS communications, so if end-to-end FIPS is required you can protect these VPNs via LDAPS to the Duo proxy. Ask your Duo sales or customer success engineer for more details.

Duo Custom Control for Microsoft Azure AD Conditional Access

Duo supports Azure Conditional Access via a custom control. Microsoft’s Government Cloud does not support custom controls for conditional access in Azure Government’s Active Directory service today. Therefore, Duo's federal editions do not include access to this application.

Azure Sync

Duo's federal editions do not include the Azure Directory Sync feature. You may sync on-premises Active Directory or OpenLDAP directories into Duo via the Authentication Proxy.

Auth API

No telephony options may be used with Duo Auth API applications. This affects the API /auth endpoint as follows:

  • Disables use of the “phone” factor value
  • Disables use of the “sms” factor value
  • The “auto” factor will not choose “phone” or “sms”

Telephony Restrictions

Duo's federal edition customers may not use any of telephony features in Duo’s standard service. Duo removed telephony authenticators from our federal editions to provide alignment with NIST 800-63-3b AAL2 requirements by default, as NIST labels telephony authenticators as “RESTRICTED”. This restriction affects how federal administrators and end users get created or enrolled in Duo, and how they log in using Duo.

Telephony Restrictions for Admins

Telephony Restrictions for End Users

  • The Authentication Methods policy settings (which affect end user logins) do not show the Phone Callback or SMS Passcodes options. It is not possible to enable these methods for use via policy.
  • When creating a new end user, or when an end user performs self-enrollment in Duo, a phone number is collected but is only used as an identifier for the user's device and is not used for phone call or SMS authentication purposes.
  • End users may only enroll iOS or Android smartphones and tablets for use with Duo Mobile. End users may not enroll generic smartphones, landlines, or Windows Phone devices, and these platforms and device types are not offered during enrollment.
  • End users may not approve Duo authentication requests using phone calls or SMS passcodes. End users see no mention of SMS passcodes or phone calls in the Duo Prompt and may not use phone call verification or send passcodes via SMS to themselves to log in from any phone.
  • When configuring their default device options, end users may only choose between the "Ask me to choose an authentication method" or "Automatically send this device a Duo Push" options. The "Automatically call this device” option is not presented.
  • An end user may not enroll a device in Duo using an existing phone number, as there is no way to verify ownership of the device using phone call or SMS. End users must contact a Duo administrator to activate a shared device.

Duo Administrator Creation

The Duo administrator password default requirement specifies at least twelve (12) characters. The minimum password length may be modified in the Admin Password Policy settings area of the the global Settings page.

New passwords will be checked against common passwords, usernames, and other account information to ensure uniqueness. Federal editions do not provide the administrator password complexity options available in standard editions.

When creating a new Duo administrator, the only option for secondary authentication is to select a hardware token previously imported into Duo. Once you save the new administrator, you may also choose to activate Duo Push. If you do not choose one of these options, then the new administrator can’t log in.

New Federal Admin Secondary Authentication

Click Activate Duo Push and then click the Activate link to generate a QR code that the new admin can scan with Duo Mobile to activate the app for Duo Push. If the new admin isn’t with you to scan the QR code, click the Email this barcode to … link to send the code to them.

Duo Administrator Logins

All Duo administrators access the Duo Admin Panel to configure their Duo service and users. When logging in to the Duo Admin Panel as a Duo federal edition customer, you’ll note some differences to the documented login process:

Log In URL

Use your unique customer admin URL to access the Duo Admin Panel, e.g. https://admin-abcd1234.duofederal.com. Do not use https://admin.duosecurity.com.

Secondary Factor Restrictions

Duo's federal editions may not use telephony-related features. Duo administrators must authenticate using Duo Push on a smartphone with the Duo Mobile app, or with a passcode from a hardware token. A Duo admin without either of these secondary authenticators may not log into the Duo Admin Panel.

System Use Notification

Duo's federal edition administrators must accept the login warning shown or be denied access.

End User Lockout and Inactivity Expiration

Duo federal customers have the following Lockout and Fraud defaults: - The default lockout threshold is three (3) failed attempts. - The default lockout expiration time is thirty (30) minutes

Additionally, the default inactive user expiration is ninety (90) days.

Duo End User Enrollment and Logon

The telephony restrictions in Duo's federal editions change the end-user device enrollment and authentication experience. Note that you can achieve similar restrictions via policy settings as a Duo standard edition customer, but in Duo's federal editions these restrictions may not be removed or reverted.

Restricted Device Types and Platforms

Users may not enroll or authenticate with the following device types and platforms: - Landlines - Windows Phone mobile phones - Other cell phones and feature phones

Users may enroll and authenticate with: - iOS and Android mobile phones - iOS and Android tablets - Security keys (in supported browsers) - Touch ID (on supported Mac hardware)

Changes to the User Interface

The Duo enrollment and authentication interface hides the disallowed platforms and device types from end users.

Federal Editions Standard Editions

Enrollment Device Options:
No Landline Option

Enrollment Device Options:
Has Landline Option

Enrollment of Existing Device:
Cannot Enroll with an Existing Phone Device

Enrollment of Existing Device:
Verify an Existing Phone Device During Enrollment

Enrollment Phone OS Options:
iPhone and Android Only

Enrollment Phone OS Options:
iPhone, Android, Windows Phone, or Other

Automatic Authentication Actions:
No Automatic Call

Automatic Authentication Actions:
May Choose Automatic Call

Authentication Factor Options:
No Phone Call Option

Authentication Factor Options:
Phone Call Option

Authentication with SMS Passcode:
No option to send SMS Passcodes

Authentication with SMS Passcode:
Option to send SMS Passcodes Present

Changes to Auto Push and Append Applications

With some Duo applications do not show the interactive Duo Prompt. These are typically applications that use RADIUS auto or LDAP authentication through the Duo Authentication Proxy or Duo for Microsoft Remote Desktop Gateway. Instead of allowing the end user to interactively choose which authentication method to use, these integrations perform an automatic push (if Duo Mobile was activated for the end user) or phone callback (if the user has an attached phone without Duo Mobile activation).

In Duo federal editions, these configurations will not perform an automatic phone call for authentication. If a user has a device activated for Duo Push, they receive an automatic push request. If the user has no device activated for Duo Push, then the login attempt fails.

In some auto push configurations the end user may append the name of a factor or a passcode generated by a hardware token, received via SMS, or generated by Duo Mobile.

In Duo federal editions, the “phone” and “sms” factor options do not work for authentication. Users may continue to append “push” to receive a Duo Push request to Duo Mobile, or append a passcode.

Try Duo Federal Editions

Fill out the contact form on the Duo Federal editions pricing page to get started with Duo today!