Skip navigation
Documentation

Duo Passwordless Public Preview

Last Updated: May 5th, 2022

Duo Passwordless is in Public Preview. Please contact us via this form if you have any issues with or feedback about your experience.

Introducing Duo Passwordless

Duo Passwordless uses platform authenticators and security keys from access devices to secure application access without passwords, reducing the risk surface and administrative burden associated with passwords while improving the user experience. With Duo Passwordless, users no longer have to remember or type long, complex passwords. Instead, they can log in securely with a single gesture that provides the security of two authentication factors.

Read our public preview announcement, learn more about the benefits of passwordless authentication, and explore The Administrator's Guide to Passwordless for technical details.

Supported Authentication Methods

Duo Passwordless supports a diverse set of end-user authenticators for access devices, including:

Supported Browsers

Duo Passwordless supports Chrome (Desktop and Mobile), Safari (Desktop and Mobile), Edge, and Firefox. Not all browsers support all verification methods on a given operating system, so for the widest compatibility we recommend Chrome or the browser that came with your operating system.

Check the tables below for supported browser versions and Duo verification option compatibility. While other browsers may work with Duo Passwordless, Duo actively tests and supports the browser minimum versions listed in the tables.

Windows 10 and Later

Browser Minimum Supported Version Platform Authenticator Roaming Authenticator
(Security Keys)
Edge 79 Yes 1 Yes
Chrome 73 Yes1 Yes
Firefox 66 Yes Yes
  1. Windows Hello not supported in Chrome Incognito or Edge InPrivate browsing sessions.

macOS 11 and Later

Browser Minimum Supported Version Platform Authenticator Roaming Authenticator
(Security Keys)
Safari 14 Yes 1 Yes
Chrome 70 Yes Yes
Firefox None No 2 No 3
  1. Duo supports Touch ID in Safari for passwordless login, but not for two-factor authentication.

  2. Firefox on macOS does not support Touch ID due to missing FIDO2 support.

  3. Firefox on macOS cannot prompt for the security key's PIN to fulfill the passwordless user verification requirement.

iOS/iPadOS 14.5 and Later

Browser Minimum Supported Version Platform Authenticator Roaming Authenticator
(Security Keys)
Safari 14.5 Yes Yes
Chrome 95 Yes Yes
Edge 95 Yes Yes
Firefox 38 Yes Yes

Android 10 and Later

Browser Minimum Supported Version Platform Authenticator Roaming Authenticator
(Security Keys)
Chrome 95 Yes Yes 1
Firefox 68 Yes 2 No 3

  1. Chrome on Android 10 and 11 cannot prompt for the security key's PIN to fulfill the passwordless user verification requirement.

  2. Firefox on Android 10 and 11 does not support Android biometric enrollment.

  3. Firefox on Android cannot prompt for the security key's PIN to fulfill the passwordless user verification requirement.

Enrollment and Authentication Experience

When a user without a passwordless authenticator accesses a Duo-protected web application which has a passwordless policy applied, the user enters their username and password as usual, completes Duo two-factor authentication (2FA), and is then offered the option to enroll in Duo Passwordless by registering their first passwordless authentication method for that access device.

After that, the user experiences passwordless login for the application or applications subject to the passwordless policy when using that access device. Instead of entering a password, the user's registered passwordless authenticator supplies identity verification.

If a user's registered passwordless authenticator isn't available at application sign-in, Duo falls back to the username and password plus 2FA authentication flow.

Remembered Devices

Passwordless login creates a 15-minute remembered device session, implemented via browser cookie. This session lifetime is not configurable or affected by the remembered devices policy settings for secondary authentication. During those 15 minutes, users may access additional Duo applications with an effective policy that permits passwordless authenticators without repeating the authentication process.

Changes to Duo Policies

When you activate Duo Passwordless in your Duo account, you'll notice some changes to the available policy settings when you're using the policy editor.

Authentication Methods

The authentication methods policy distinguishes between 2FA methods and passwordless methods. Enabling any of the passwordless methods in a policy permits use of passwordless authentication for any Duo Single Sign-On application subject to that policy. The passwordless authentication methods settings have no effect for non-SSO applications, as those applications do not support passwordless logins today.

Authentication Methods Settings with Passwordless Activated

User Location

The user location policy expands to apply to both two-factor authentication and passwordless authentication.

User Location Settings with Passwordless Activated

Anonymous Networks

The anonymous networks policy expands to apply to both two-factor authentication and passwordless authentication.

Anonymous Networks Settings with Passwordless Activated

2FA-Only Policy Settings

When a policy setting applies to two-factor authentication and has no effect for passwordless logins, the policy editor reflects this when you edit the configuration for that setting.

2FA-Only Notification in the Policy Editor

The policy settings that apply only to two-factor authentication users are:

  • Trusted Endpoints
  • Remembered devices
  • Plugins
  • Authorized networks

All other policy settings apply to both passwordless and 2FA-only users.

Public Preview Details

Duo Passwordless public preview is available to Duo Beyond, Duo Access, and Duo MFA plans customers in US-based and select international Duo service regions. We will expand support for additional locations throughout the preview period. Please contact your Duo sales or customer success representative to discuss options for your region.

Available Now

  • Self-service registration of access device passwordless authenticators after successful password verification and two-factor authentication.

  • Automatic fallback to password authentication with two-factor authentication in login scenarios where passwordless isn't available.

  • Duo Administrators may view and delete users' passwordless authenticators from the Duo Admin Panel.

  • Support for these Duo authorization policy settings: User Location, Operating Systems, Browsers, and Anonymous Networks.

  • Support for Duo Device Health app policy checks at passwordless login.

  • Reporting for passwordless authentications in the Authentication Log.

Future Updates

Features and functionality still in development:

  • Support for Duo Mobile as a passwordless authenticator on Android and iOS devices.

  • Support for Remembered Devices policy at passwordless login.

Feedback

We welcome your feedback about Duo Passwordless during the public preview. Please contact us via this form if you have any issues with or feedback about your experience.

Requirements

To deploy Duo Passwordless in your organization, you need the following:

  • A Duo Admin with the Owner role to enable passwordless configuration for your Duo account, and with Owner or Administrator roles to create or edit policies that include passwordless authentication methods.

  • Target applications for Duo Passwordless that support SAML 2.0 authentication.

  • WebAuthn platform or roaming authenticators available for your user access devices, such as Face ID or Touch ID on Apple iOS and macOS devices, Windows Hello on Windows devices, Android biometrics, or FIDO2 WebAuthn security keys.

  • An on-premises Active Directory identity store. This configuration requires LDAP authentication from Duo to Active Directory. Continue to the Prerequisites to learn more.

Prerequisites

Before you begin setting up Duo Passwordless, be sure you have:

Duo Passwordless and External Identity Providers

If you don't plan to use Duo Passwordless with an existing external identity provider, you can skip this section and proceed to Enable Duo Passwordless.

While using Duo Passwordless requires Duo Single Sign-On with Active Directory authentication, you can chain your organization's existing SAML identity provider (IdP) to Duo SSO to provide passwordless login to the applications already federated with your IdP.

You will create a generic SAML application in Duo SSO using information from your IdP, and then in your IdP you will construct an authentication policy that delegates to Duo. Your existing identity provider will act as a service provider, and Duo will act as an identity provider to your IdP.

Passwordless SSO Chained Authentication

No additional IdP configuration steps necessary when Duo Single Sign-On is your identity provider for SAML applications.

You will add Duo SSO as a new claims provider in AD FS.

Create the Duo SAML Application

  1. Click Protect an Application and locate the entry for Generic SAML Service Provider with a protection type of "2FA with SSO hosted by Duo (Single Sign-On)" in the applications list. Click Protect to the far-right to start configuring Generic SAML Service Provider. See Protecting Applications for more information about protecting applications in Duo and additional application options. You'll need the information on the Generic SAML Service Provider page under Metadata later.

  2. In a new browser tab or window, navigate to your AD FS server's federation metadata at https://Your-AD-FS-Server/FederationMetadata/2007-06/FederationMetadata.xml. This downloads a FederationMetadata.xml XML metadata file to your computer.

  3. Open the FederationMetadata.xml file obtained from your AD FS server in a text editor. Use the information from the XML file to complete the Duo Generic SAML Service Provider application's Service Provider section as follows:

    |Name|Description|Example Value |--|--| |Entity ID|The entityID parameter from the XML file.|http://Your-AD-FS-Server/adfs/services/trust| |Assertion Consumer Service (ACS) URL|The AssertionConsumerService Location parameter from the XML file.|https://Your-AD-FS-Server/adfs/ls/| |Single Logout URL|The SingleLogoutService Location parameter from the XML file.|http://Your-AD-FS-Server/adfs/ls/|

    Leave other settings in this section unchanged.

    Duo Generic AD FS Service Provider Information
  4. Make the following selections in the Duo Generic SAML Service Provider application's SAML Response section:

    Name Value
    NameID format Select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
    NameID attribute Type in the complete attribute name userPrincipalName followed by pressing Enter.
    Signature Algorithm Use the default selection of SHA-256.
    Signing Options Enable both Sign response and Sign assertion.

    Leave other settings in this section unchanged.

    Duo Generic AD FS SAML Response Information
  5. Scroll down on the Duo Generic SAML Service Provider application's page to the Universal Prompt section and select Show new Universal Prompt if not already selected.

  6. Scroll down to the "Policy" section and apply a group or application policy that permits passwordless authentication methods.

  7. Scroll down further to the "Settings" section. Enter a descriptive name for this application, like "AD FS Claims Provider Trust".

  8. Click the Save button at the bottom of the page.

  9. After saving the application configuration, scroll down to SAML Metadata in the "Downloads" section. Click the Download XML button. The XML file you download will have the same name that you gave this application in Duo.

  10. Copy the XML file you downloaded from Duo to your AD FS server.

Create the AD FS Claims Provider Trust

  1. Log in to your AD FS server and launch the AD FS Management console. Navigate to AD FSClaims Provider Trusts.

  2. Click the Add Claims Provider Trust... action in the "Actions" pane on the right.

  3. Click Start on the first page of the "Add Claims Provider Trust Wizard".

  4. On the "Select Data Source" page, select the Import data about the claims provider from a file option, and browse to the XML file you downloaded from the Duo Admin Panel and copied over to the AD FS server. Click Next after selecting the Duo XML file.

  5. Enter a descriptive name for the Duo claims provider on the "Specify Display Name" page, and any additional information in the "Notes" field to help you identify this trust, and click Next.

  6. Make no changes on the "Ready to Add Trust" page and click Next.

  7. When you reach the "Finish" page, enable the Open Claim Rules option and then click Close.

  8. On the "Edit Claim Rules for ..." page click Add Rule.... A new window will appear.

  9. On the "Select Rule Template" page select Transform an Incoming Claim from the drop-down and click Next.

  10. On the "Configure Rule" page type Name ID to UPN into the "Claim rule name" field.

  11. Select Name ID from the "Incoming claim type:" drop-down.

  12. Leave the "Incoming name ID format:" value as Unspecified.

  13. Click the drop-down next to "Outgoing Claim Type" and select UPN.

  14. Click Finish. If you receive a warning about passing claim values, click OK. You'll return to the "Edit Claims Rules for ..." window.

  15. Click OK. The window will close and you'll return to the AD FS Management console.

Learn more about creating claims provider trusts at the Microsoft site.

Create a Claim Issuance Policy for Office 365

If you have Office 365 federated with AD FS, and you want to extend Duo Passwordless to Office 365 logins, follow these additional steps:

  1. In the AD FS Management Console, go to AD FSRelying Party Trusts

  2. Right-click on the Microsoft Office 365 Identity Platform relying party and select Edit Claim Issuance Policy....

  3. On the "Edit Claim Rules for ..." page click Add Rule.... A new window will appear.

  4. On the "Select Rule Template" page select Send Claims Using a Custom Rule from the drop-down and click Next.

  5. Name the new claim rule Send UPN as ImmutableID and enter in the following into the "Custom Rule" text box:

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "userPrincipalName={0};userPrincipalName,objectGUID;YOURDOMAIN.COM\adfs_service_account_name", param = c.Value);

    IMPORTANT Make sure to update the service account information specified in the rule from YOURDOMAIN.COM\adfs_service_account_name to match your actual domain and the service account used to run the AD FS service on your server.

  6. Click Finish. You'll return to the "Edit Claim Issuance Policy for Microsoft Office 365 Identity Platform" window.

  7. Click OK. The window will close and you'll return to the AD FS Management console.

No additional IdP configuration steps necessary when you federate Microsoft 365 with Duo Single Sign-On.

Delegation between Duo SSO and PingFederate requires entering information from the Duo Admin Panel into PingFederate and vice-versa. Please refer to Ping's documentation for Managing IdP Connections and identifying identity providers in PingFederate for more details about this process.

Create the Duo SAML Application

  1. Click Protect an Application and locate the entry for Generic SAML Service Provider with a protection type of "2FA with SSO hosted by Duo (Single Sign-On)" in the applications list. Click Protect to the far-right to start configuring Generic SAML Service Provider. See Protecting Applications for more information about protecting applications in Duo and additional application options. You'll need the information on the Generic SAML Service Provider page under Metadata later.

  2. Make the following selections in the Duo Generic SAML Service Provider application's SAML Response section:

    Name Value
    NameID format Select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
    NameID attribute Select <Email Address>.
    Signature Algorithm Use the default selection of SHA-256.
    Signing Options Enable both Sign response and Sign assertion.

    Leave other settings in this section unchanged.

  3. In the Map attributes section, enter this mapping:

    IdP Attribute SAML Response Attribute
    <Username> userid
  4. Scroll down on the Duo Generic SAML Service Provider application's page to the Universal Prompt section and select Show new Universal Prompt if not already selected.

  5. Scroll down to the "Policy" section and apply a group or application policy that permits passwordless authentication methods.

  6. Scroll down further to the "Settings" section. Enter a descriptive name for this application, like "PingFederate Service Provider".

  7. Click the Save button at the bottom of the page.

  8. Scroll up the page to the "Downloads" section of your generic SAML service provider's page and click Download XML to download the Duo Single Sign-On XML metadata file. You will import this file into PingFederate.

Add the Duo Application to PingFederate

Perform the remaining steps in the PingFederate administrative console. Refer to the PingFederate OpenToken Adapter documentation for more information about these configuration steps. You should have an adapter configured in PingFederate for your target service provider (SP) application (the application with which you want to use Duo Passwordless).

  1. Log in to the PingFederate administrative console and navigate to AuthenticationIntegrationIdP Connections and create a new SAML 2.0 IDP connection for Duo, using the Import Metadata file selector to upload the metadata XML file you downloaded from the Duo Admin Panel. This will populate PingFederate with information about the Duo IdP, such as the Entity ID and connection name.

  2. Go to Browser SSO and configure the SAML profiles to allow so that IDP-Initiated and SP-Initiated.

  3. Go to User-Session Creation and configure it with your desired Identity and Account Mappings.

  4. Go to Target Session Mapping and map your SP application adapter, including mapping attributes between systems (such as mapping subject to cn).

  5. Complete adapter mapping on the "Adapter Mapping Summary" tab and proceed to the "User-Session Creation Summary" tab to continue, clicking Done to accept your changes.

  6. Go to Protocol Settings to configure the protocol settings. The SSO Service Endpoint URLs should be populated as a portion of the Duo EntityID metadata atribute, for example /saml2/sp/DI73P00LD4DLMLNR9M00, and the SAML bindings should allow Post and Redirect.

  7. Use SAML Standard signature policy and no encryption. Proceed to the "Protocol Settings Summary" to continue, clicking Done to accept your changes.

  8. Go to Credentials and verify the Duo IdP signing certificate and key was imported from the Duo metadata file.

  9. Proceed to the "Activation and Summary" tab to make the connection active, and the save.

  10. Test logging in to the SP whose adapter you selected during configuration; you should be redirected to Duo SSO.

If you use policy contracts you may need to create a new policy contract for Duo SSO and then create a new authentication policy tree in PingFederate, using the Duo Generic SAML application's IDP connection and the policy contract you just created as part of the authentication flow.

The Ping document Connecting Okta as an IdP through SAML to PingFederate as an SP is a step-by-step example of similar configuration that can be used as a guide to configuring Duo's SSO IdP as an SP in PingFederate.

Create the Duo SAML Application and add to Okta

  1. Click Protect an Application and locate the entry for Generic SAML Service Provider with a protection type of "2FA with SSO hosted by Duo (Single Sign-On)" in the applications list. Click Protect to the far-right to start configuring Generic SAML Service Provider. See Protecting Applications for more information about protecting applications in Duo and additional application options. You'll need the information on the Generic SAML Service Provider page under Metadata later.

  2. Scroll down on the "Generic SAML Service Provider - Single Sign-On" application page to the Downloads section. Click Download certificate. You will upload this certificate file to Okta in the next set of steps.

  3. Keep the Duo Admin Panel open in your browser. You will need to copy information from Duo into Okta and vice-versa.

  4. Log in to the Okta administrator console and navigate to SecurityIdentity Providers. Click the Add Identity Provider button and select Add SAML 2.0 IdP.

  5. Fill out the information for the new identity provider using the following information from the Generic SAML Service Provider application in Duo:

    Name Description and Example Value
    Name Enter a descriptive name for this IdP like Duo SSO - Passwordless
    IDP Usage If you see this field set it to SSO only
    IdP Username Enter idpuser.subjectNameId
    Match against Set this to Okta Username or Email
    If no match is found Set to Redirect to Okta sign-in page
    IdP Issuer URI The Entity ID from the Duo Admin Panel i.e. https://sso-abcd1234.sso.duosecurity.com/saml2/sp/DI73P00LD4DLMLNR9M00/metadata
    IdP Single Sign-On URL The Single Sign-On URL from the Duo Admin Panel i.e. https://sso-abcd1234.sso.duosecurity.com/saml2/sp/DIABC123678901234567/sso
    IdP Signature Certificate Click Browse files... and select the certificate you downloaded from the Duo Admin Panel.

    Click Add Identity provider when done.

  6. Click on your newly-created identity provider for Duo Passwordless to expand its properties.

  7. Return to the Generic SAML Service Provider application in the Duo Admin Panel and enter the following information from Okta in the Service Provider section:

    Name Description and Example Value
    Entity ID The Okta Audience URI value i.e. https://acme.okta.com/sso/saml2/0oa13h448i8B0Ahp00l8
    Assertion Consumer Service (ACS) URL The Okta Assertion Consumer Service URL value i.e. https://www.okta.com/saml2/service-provider/spmbjynpoolcvndadqkqc

    Leave other settings in this section unchanged.

  8. Scroll down on the Duo Generic SAML Service Provider application's page to the Universal Prompt section and select Show new Universal Prompt if not already selected.

  9. Scroll down to the "Policy" section and apply a group or application policy that permits passwordless authentication methods.

  10. Scroll down further to the "Settings" section. Enter a descriptive name for this application, like "Okta Service Provider".

  11. Click the Save button at the bottom of the page.

Configure Okta Authentication Rules

  1. Return to the "Identity Providers" page in the Okta console and click the Routing Rules tab. Click Add Routing Rule.

  2. Configure the new routing rule's logic to scope Duo Passwordless authentication to specific applications and/or specific users. For example, you may want to create a rule that routes any user assigned to a Salesforce app federated with Okta to your new Duo identity provider for passwordless authentication.

  3. Click Create Rule to save your new rule. Once you save it you can drag it up or down your rules list to change its priority during rule evaluation.

For other IdPs not listed here by name, refer to the Duo Single Sign-On for Generic SAML Service Providers documentation for creating a Duo SAML SP application that you will then configure as a delegated identity provider in your organization's IdP.

Enable Duo Passwordless

Role required: Owner

  1. Log in to the Duo Admin Panel and use the left-side navigation to go to Single Sign-OnPasswordless.

  2. The Passwordless landing page shows whether you've completed the Duo Single Sign-On, Active Directory (AD) authentication source prerequisite steps, and whether you need to upgrade your Duo Authentication Proxy.

    Duo Passwordless Start Page

    If you haven't completed the first three steps yet, please do so and return to the Passwordless page when done.

  3. If you have completed all the prerequisites, the next step is activating Passwordless for your Duo account. Review the information presented, and then check the I have read and understand the above box and click the Activate Passwordless button.

  4. After you activate Passwordless for your account the Passwordless start page updates to show you have completed the setup requirements. Your next action is to enable passwordless authentication using Duo policies.

Configure Passwordless Policy

Role required: Owner or Administrator

The next step in deploying Duo Passwordless is to update your Duo policies to enable passwordless authentication methods. Before making any policy changes you should decide if you want to enable passwordless authentication for specific users or SSO applications, or for all users and compatible SSO applications.

There are two types of passwordless authentication methods you can enable in the policy:

  • Platform Authenticators: This enables end-user authentication using authenticators or biometric sensors built into their access devices, such as Touch ID or Face ID on Apple devices, Windows Hello on Windows 10 and 11 systems, or Android biometrics. Enabling platform authenticators prompts just those users with compatible access devices to register a passwordless authenticator when they log in.

    If you only enable this method in your policy, then users with devices that do not have a compatible platform authenticator do not receive the prompt for passwordless registration because their device does not support it. They will continue to log in with their password

    If a user previously registered a roaming authenticator while subject to a different policy, they would not be able to use it to access an application when the effective policy only permits platform authenticators and will fall back to username and password authentication.

  • Roaming Authenticators: This enables end-user authentication using FIDO2-compliant WebAuthn security keys attached to their access devices, like those from Yubico or Feitian. Enabling roaming authenticators prompts all users to register a passwordless authenticator whenever they log in.

    If you only enable this method in your policy, then users cannot register platform authenticators but they will still be offered the opportunity to register a security key. They will need access to a supported roaming authenticator to complete passwordless registration. Don't enable roaming authenticators if your users do not have access to compatible WebAuthn security keys with PINs or biometrics.

    If a user previously registered a platform authenticator while subject to a different policy, they would not be able to use it to access an application when the effective policy only permits roaming authenticators and will fall back to username and password authentication.

Enable Passwordless with Group Policy

  1. Log on to the Duo Admin Panel as an administrator with the Owner or Administrator admin role.

  2. Navigate to the details page of the Single Sign-On application to which you want to apply the Passwordless policy.

  3. Click the Apply a policy to groups of users link to assign the new Passwordless policy to a test group.

    Apply Group Policy
  4. Click the Or, create a new Policy link instead of selecting a policy to apply from the drop-down list.

    Create New Application Policy
  5. The policy editor launches with an empty policy.

    Empty Custom Policy
  6. Enter a descriptive Policy Name at the top of the left column, and then click the Authentication methods policy item on the left.

    Creating the Passwordless Policy
  7. Select either or both types of passwordless authentication methods to enable for users:

    • Platform Authenticators enables your end users to authenticate using authenticators or biometric sensors built into their access devices.

    • Roaming Authenticators enables your end users to authenticate using FIDO2-compliant WebAuthn security keys attached to their access devices.

  8. Click the Create Policy button to save the settings and return to the "Apply a Policy" prompt, with the new passwordless authentication methods policy selected. Start typing in the pilot group's name in the Groups field and select it from the suggested names.

    Apply the New Passwordless Group Policy
  9. Click the Apply Policy button. The application page shows the new group policy assignment.

    Apply the New Passwordless Policy

For more information about creating and applying group policies, see the Policy documentation.

Enable Passwordless with Application Policy

  1. Log on to the Duo Admin Panel as an administrator with the Owner or Administrator admin role.

  2. Navigate to the details page of the Single Sign-On application to which you want to apply the Passwordless policy.

  3. Click the Apply a policy to all users link to assign the new passwordless authentication methods policy to all users of the application.

    Apply Application Policy
  4. Click the Or, create a new Policy link instead of selecting a policy to apply from the drop-down list.

    Create New Application Policy
  5. The policy editor launches with an empty policy.

    Empty Custom Policy
  6. Enter a descriptive Policy Name at the top of the left column, and then click the Authentication methods policy item on the left.

    Creating the Passwordless Policy
  7. Select either or both types of passwordless authentication methods to enable for users:

    • Platform Authenticators enables your end users to authenticate using authenticators built into their access devices.

    • Roaming Authenticators enables your end users to authenticate using FIDO2-compliant WebAuthn security keys attached to their access devices.

  8. Click the Create Policy button to save the settings and return to the "Apply a Policy" prompt, with the new passwordless authentication methods policy selected.

    Apply the New Passwordless Policy
  9. Click the Apply Policy button. The application page shows the new policy assignment.

    Apply the New Passwordless Policy

For more information about creating and applying application policies, see the Policy documentation.

Test Your Setup

Access your federated service provider application as a user whose effective authentication methods include passwordless authenticators from an access device that has a supported platform or roaming authenticator available. Log in with username and password, and then complete Duo two-factor authentication.

After performing Duo authentication, Duo prompts you to begin passwordless registration. Click or tap Set it up to begin.

Start Duo Passwordless Setup

Choose which passwordless authenticator type to register. The options shown here correspond to the access device authenticators you enabled in your passwordless policy. In this example the policy allows both platform and roaming authenticators and the access device is a MacBook with Touch ID.

Start Duo Passwordless Setup

Follow the on-screen prompts to set up that device for Duo Passwordless. Depending on the type of authenticator you're registering, you will need to scan your fingerprint or face, enter a PIN, or tap a device. Continuing the Touch ID example, you'll tap the Touch ID reader when prompted.

Chrome Touch ID Prompt

When you receive confirmation that you've registered the passwordless authenticator successfully, you can continue on to the application. The next time you log into the SSO application from that access device, you will enter your email and then interact with your registered authenticator instead of typing in your password.

See the full authenticator setup and passwordless login experience, including detailed instructions for all supported authenticators, in the Duo Passwordless End User Guide.

Managing Passwordless Authenticators

You can view and delete a user's registered passwordless authenticators from the Duo Admin Panel.

  1. Log in to the Duo Admin Panel and search for the user from the search bar at the top of the page. You can also click Users in the left sidebar and then select a user by clicking their username.

  2. Scroll down to the WebAuthn & U2F table on the user's details page. Any passwordless authenticators registered by the user contain "(passwordless)" in the device type information.

    Passwordless Authenticators in the User WebAuthn & U2F Table
  3. To delete a user's passwordless authenticator, click the trash icon to the right of the device's information in the table.

    When you delete the authenticator, the user will need to use a different registered passwordless authenticator to log in to applications. If no more passwordless authenticators remain registered for the user they will log in with their password.

Tracking Passwordless Adoption

You can view passwordless enrollment status across your organization with a CSV export of your users:

  1. Log in to the Duo Admin Panel and click Users in the left sidebar.

  2. Click the Export button in the upper right side of the log display and select CSV to download a list of users. If you've filtered your current view (like by entering search text in box), the report only includes the filtered results.

  3. Open the CSV file and look for the "Passwordless Enabled" value: "true" for users who have enrolled a passwordless authenticator or "false" for users who have not yet done so.

If you export the users list in JSON format, the passwordless status is the last value in the array for each user.

Passwordless Reporting

View authentication reporting for passwordless logins in the Authentication Log. The "Authentication Factor" shown will be "Passwordless", showing a WebAuthn passwordless authentication method was used.

Passwordless Events in the Authentication Log

Passwordless access of SAML applications is also found in the Single Sign-On Log, as a new primary authentication session with no second factor listed and "Passwordless" plus the WebAuthn credential's key for the "Authentication Method".

Passwordless Events in the Single Sign-On Log

Troubleshooting

Need some help? Take a look at our passwordless Knowledge Base articles or Community discussions. For further assistance, contact Support.