Skip navigation
Documentation

Policy & Control

Contents

Duo lets you reduce risks by enforcing precise policies and controls. Enable your team to define and enforce rules on who can access what applications — under what conditions. Define access policies by user group and per application to increase security without compromising end-user experience.

Overview

In the Duo Free and MFA plans, administrators use a combination of settings — applied globally, to applications, or to groups — to control how users authenticate using Duo’s service.

Duo Beyond and Duo Access plan customers gain more granular control with the Policy & Control feature.

  • Policies are now centrally-managed and can be shared between applications, so you don’t have to specify the same setting in multiple places.
  • Policies can also be applied to specific user groups accessing an application. This lets you set different rules depending on who is authenticating and their context.
  • We’ve added new policy settings, like the ability to require that mobile devices are screen locked with a passcode or to prevent authentication by rooted devices.

Create and manage your policies from the top-level Policies tab in the Duo Admin Panel.

Policies Tab

Only admins with the Owner or Administrator roles can create or edit policies. Admins with the Application Manager role may assign existing policies to applications, but may not edit or create policies.

When creating policies that restrict access for users, keep in mind that users with bypass status are not subject to these restrictions, as they bypass Duo authentication entirely.

Migrating to Policy & Control

Role required: Owner or Administrator

Duo prompts you to upgrade to the new Policy & Control Framework the first time you access the Policies tab after upgrading your Duo Free or MFA plan account to Duo Access or Duo Beyond.

Duo migrates your old settings to new policy objects. Global settings convert to your Global Policy, and group and application settings migrate into corresponding policies, assigned to the correct applications.

After this migration takes place, we recommend looking through your policies to make sure everything is set as intended, and also to rename the policies to something more descriptive that reflects their intended use or targets, "Remote Cisco VPN Users" for example. Duo’s default names are "Application Policy 1", "Application Policy 2", etc.

Policies Page

Global Policy

The Global Policy is built-in and cannot be deleted. It always applies to all applications, so you should edit this policy if there are settings you'd like to control for all users and all applications. A summary of the Global Policy settings is shown on the Policies page. Settings at the Duo defaults are greyed out.

Global Policy

Duo MFA plan customers also utilize Global Policy, but feature a subset of the policy settings available to Duo Beyond and Duo Access customers.

Enterprise Global Policy

Editing the Global Policy

Role required: Owner or Administrator

To edit the Global Policy from the Policies page:

  1. Click the Edit Policy button in the upper right of the Global Policy summary.

  2. Once in the Global Policy editor, click the policy settings listed on the left side of the editor that you want to modify, then update the setting configuration on the right side of the editor.

    Global Policy Editor

  3. Click the Save Policy button when your edits to the Global Policy are complete.

  4. The Global Policy summary reflects your new policy settings (your changes show in green and black text instead of the grey text used for default settings).

    Edited Global Policy

  5. If you'd like to restore the original Global Policy settings, open the Global Policy editor again and click the Revert to default link at the top of the "Edit Policy" window. Click Save Policy to apply the Global Policy defaults.

Custom Policies

If certain applications require policy and controls that differ from the Global Policy, Duo Beyond and Duo Access plan customers can create a Custom Policy and assign it to those applications. Custom policies for an application can also be limited to specific groups. Custom Policies only need to specify the settings they wish to enforce.

Create custom policies for groups or applications from either the main Policies page or from the properties page of any application. Duo Beyond and Duo Access olicies may be shared between multiple applications. Duo MFA customers may only create custom policies on a per application basis, from an individual application's properties page. Duo MFA custom policies can't be shared between applications

Custom Policy View

When you view an application, the Global Policy settings are shown because these settings apply to all applications unless they are overridden by a custom application or group policy.

If an application policy or group policy setting overrides a Global Policy setting, the overridden setting is crossed out in the Global Policy view. In the example below, the New User Policy, User Location, Remembered Devices, Anonymous Networks, Authentication Methods, and Screen Lock settings in the "HIPAA Policy" application policy overrides those settings in the Global Policy.

Custom and Global Policies in an Application

Create and Apply a Custom Application Policy

Role required: Owner or Administrator

Admins with the Owner and Administrator role can create and assign a new custom policy right from an application's properties page. To do this:

  1. Navigate to an application's properties page in the Duo Admin Panel.

  2. Click the Apply a policy to all users link to assign the policy to all users of that application.

    Apply Application Policy

  3. Click the Or, create a new Policy link instead of selecting a policy to apply from the drop-down list.

    Create New Application Policy

  4. The policy editor launches with an empty policy.

    Empty Custom Policy

  5. Enter a descriptive Policy Name at the top of the left column, and then click each policy item's name to add it to your new custom policy. Each item you click is added to the policy customization area on the right, where you can adjust the settings. Click the X on the right to remove a setting from the customization area.

    Creating an Application Policy

  6. When you are done adding and configuring policy settings, click the Create Policy button to save the settings and return to the "Apply a Policy" prompt.

    Apply a New Custom Policy

  7. Click the Apply Policy button. The application page shows the new policy assignment.

    Applied Application Policy

Create and Apply a Custom Group Policy

Role required: Owner or Administrator

Duo Beyond or Duo Access admins with the Owner or Administrator role can create a new custom policy and assign it to one or more Duo groups right from an application's properties page. To do this:

  1. Navigate to an application's properties page in the Duo Admin Panel.

  2. Click the Apply a policy to groups of users link to assign the policy to only certain users of that application

    Apply Group Policy

  3. Click the Or, create a new Policy link instead of selecting a policy to apply from the drop-down list.

    Create New Application Policy

  4. The policy editor launches with an empty policy.

    Empty Custom Policy

  5. Enter a descriptive Policy Name at the top of the left column, and then click each policy item's name to add it to your new custom policy. Each item you click is added to the to the policy customization area on the right, where you can adjust the settings. Click the X on the right to remove a setting from the customization area.

    Creating an Application Policy

  6. When you are done adding and configuring policy settings, click the Create Policy button to save the settings and return to the "Apply a Policy" prompt, with your newly created policy selected. Start typing in a group's name in the Groups field and select the policy target group(s) from the suggested names.

    Apply a New Group Policy

  7. Click the Apply Policy button. The application page shows the new group policy assignment.

    Applied Group Policy

Create a Custom Policy from the Policies Page

Role required: Owner or Administrator

To create a custom policy from the main Policies page:

  1. Click the + New Policy button.

    New Custom Policy

    The policy editor starts with an empty policy.

    Empty Custom Policy

  2. Enter a descriptive Policy Name at the top of the left column, and then click each policy item's name to add it to your new custom policy. Each item you click is added to the to the policy customization area on the right, where you can adjust the settings. Click the X on the right to remove a setting from the customization area.

    Creating an Application Policy

  3. When you are done adding and configuring policy settings, click the Create Policy button.

    The Policies page lists the newly created policy. From the policies page you can edit or delete the custom policy by clicking the appropriate button.

    Custom Policy Created

Apply a Custom Application Policy

Role required: Owner, Administrator, or Application Manager

To assign an existing custom policy to an application:

  1. Navigate to an application's properties page in the Duo Admin Panel.

  2. Click the Apply a policy to all users link to assign the policy to all users of that application.

    Apply Application Policy

  3. Select the policy to apply from the drop-down list.

    Apply Application Policy

    Note that admins with the Application Manager role do not see the "Or, create a new Policy" link visible to Owner and Administrator roles.

  4. Click the Apply Policy button. The application page shows the new policy assignment.

    Applied Application Policy

Apply a Custom Group Policy

Role required: Owner, Administrator, or Application Manager

To assign an existing custom policy to a group:

  1. Navigate to an application's properties page in the Duo Admin Panel.

  2. Click the Apply a policy to groups of users link to assign the policy to a specific group of users who access that application.

    Apply Group Policy

  3. Select the policy to apply from the drop-down list. Then start typing in a group's name in the Groups field and select the policy target group(s) from the suggested names.

    Apply Group Policy

    Note that admins with the Application Manager role do not see the "Or, create a new Policy" link visible to Owner and Administrator roles.

  4. Click the Apply Policy button. The application page shows the new group policy assignment. Clicking the name of the policy group target displays the properties and members of the group.

    Applied Group Policy

Reorder Policies

The policy framework applies custom group policy settings in the order they are listed in an application's Policy properties. When group policy settings conflict, the first policy listed has the highest precedence.

You can reorder group custom policies on an application by clicking the upward-pointing arrow button to the right of a group policy's name. This will move that policy one spot up in the list of group policies.

In the example below, the effective policy setting is that a member of both the "CorpHQ_Users" and "ITAdmins" groups may authenticate from a device without a screen lock enabled. Reordering the policies so that the "Require Screen Lock for Admins" group policy is listed first enforces that "ITAdmin" group members always need screen lock enabled to authenticate to this application.

Reorder Group Policy

Update Policy Assignments

Clicking the Replace Policy button next to any of an application's currently assigned custom policies brings up the Apply a Policy window. From this window you can pick a different custom policy to apply, or pick different groups to associate with a group policy.

View All Application Policy Assignments

The Applications page of the Duo Admin Panel lists all of your applications. The Application Policy and Group Policies columns display current policy assignments for each application.

Applications List

Clicking any policy name shown on the Applications page takes you to the Policy section of the properties page for that application.

Remove or Delete Policies

To remove a custom policy from an application, click the Unassign Policy button next to that policy's name in the Policy section of an application's properties page.

Unassign Custom Policy

To delete a custom policy from Duo, navigate to the Policies page and click the Delete Policy button to the right of that policy's name. Deleting the policy also removes it from any applications. The alert shows how many applications (if any) the policy currently affects.

Delete Custom Policy

Logging

Duo captures policy related events -- such as custom policy creation and edits to the Global Policy -- in the Administrator Actions log.

Policy Logging

User Policy Settings

New User Policy

The new user policy controls authentication for users not enrolled in Duo. In Duo, an enrolled user is someone who has at least one authentication device attached, which can be a phone, hardware token, etc. The new user policy can be one of the following:

  • Require enrollment - Users who are not enrolled in Duo see the inline self-enrollment setup process after entering their primary username and password. Users who are already enrolled in Duo are prompted to complete two-factor authentication. This is the default policy for new applications.
  • Allow access - Users who are already enrolled in Duo are prompted for two-factor authentication. Users not enrolled in Duo are not prompted to complete enrollment and are granted access without two-factor authentication. Duo Beyond and Duo Access plan customers see events for users that access an application without two-factor authentication as a result of this setting in the Authentication Log.
  • Deny access - Access is denied to users not enrolled in Duo. Users must be enrolled before attempting authentication, by using one of the automatic enrollment options, bulk self-enrollment, or manual enrollment by a Duo administrator.

To change the new user policy, click the radio button next to the desired setting.

New User Policy Settings

Group Access Policy

Configure the group access policy to change how certain groups access a Duo-protected application or to change access to selected applications. This overrides less-restrictive authentication policy settings configured at the global, application, or group level. More restrictive policy settings, such as a user location policy denying access to a specific country, still apply.

  • No action - User authentication is not affected by this setting. This is the default.
  • Allow access without 2FA - Users may log in without completing two-factor authentication.
  • Deny access - Blocks all users from authenticating.

Changing the group access policy setting from the default prevents new users from completing inline self-enrollment. When set to "allow", users not enrolled in Duo bypass the frame entirely when accessing the application so there is no opportunity for self-enrollment. Authentication to the application is blocked with the "deny" setting, so new users cannot self-enroll in that scenario either. End users who receive enrollment links via email may complete the Duo enrollment process via the emailed link regardless of the group access policy setting.

Group Access Policy Settings

As you deploy Duo throughout your organization you may need to let designated users access a certain application without Duo authentication, while requiring that they complete Duo 2FA when accessing any other protected application.

Accomplish this by first creating a Duo group (manually or via Directory Sync) containing those users.

Next, view the application which you want those group members to bypass Duo authentication in the Admin Panel. Click on Apply a policy to groups of users to create a new policy with the group access policy set to Allow access without 2FA, and then attach that new policy to your bypass group.

When the users in that Duo group access that application, they'll pass through to the application after successful verification of primary credentials. All other users accessing that application are subject to any other access policy settings applied to that application or in the global policy.

You can use the same process with the group access policy set to Deny Access to block users from accessing a selected application while still permitting them access to other Duo applications.

If you apply the group access policy to an application as an application policy (instead of a group policy), then the configured allow or deny access setting applies to all users of that application. Again, this overrides any other access policy set at the global level, and access to other Duo applications is unchanged.

Configuring the group access policy within Duo's global policy affects all Duo application and all users — whether the user is enrolled in Duo or not. If you set the group access policy to deny in the global policy then no users can access any of your Duo-protected applications. Conversely, if you set the group access policy to allow access in the global policy, then all users can access any application without completing Duo two-factor authentication.

User Location

The user location looks up the geographical origin of a user's access device IP address, and can then enforce policy based on that location. You can deny all access from certain countries, or always require two-factor authentication for access requests from a country.

To change the user location policy, start typing in a country name to select it from the list, then change the drop-down to the desired setting for that country. The available settings are:

  • No action - Permits Duo authentication from the chosen country. This is the default policy setting for all locations.
  • Allow access without 2FA - Do not require Duo authentication for access requests from the named country.
  • Require 2FA - Always require two-factor authentication for IP addresses originating from the selected country. Note that this setting overrides Remembered Devices and Trusted Networks.
  • Deny access - Prevents all Duo authentication attempts from IP addresses originating from the specified country.

User Location Settings

Devices Policy Settings

Trusted Endpoints

Duo's trusted endpoints feature determines whether an access device is managed by your organization or is an unmanaged BYOD or unknown device. When an application loads the Duo Prompt it checks for the presence of a Duo device certificate on that endpoint. You can use this policy to gain information about the devices used to access your Duo-protected web applications, and optionally restrict access from unmanaged endpoints.

The trusted endpoint policy options are:

  • Do not check for a Duo certificate - Default policy setting, which does not look for the Duo certificate at login.
  • Check for Duo certificate - Duo checks the local user certificate store for a trusted device certificate, and records the endpoint's trusted status.
  • Block endpoints that do not have a Duo certificate - Duo prevents access from endpoints that lack the Duo device certificate.

See our full Trusted Endpoints guide for more information and step-by-step certificate deployment instructions.

Trusted Endpoints Settings

Remembered Devices

Duo's remembered devices feature is similar to the "remember my computer" or "keep me logged in" options users are accustomed to seeing during primary authentication on many websites. With the remembered devices feature enabled, the user will be offered a “Don't prompt me again on this device” checkbox during login. When users check this box, they will not be challenged for secondary authentication when they log in again from that device for a set period of time. This setting only works with applications that show Duo's authentication prompt in a browser.

To enable remembered devices, select the Users may choose to remember their device for _ days setting and enter the desired number of days or hours — up to 365 days — in the space provided (the default is 30 days).

You also have the option to enable remembered devices Per each application or For all protected web applications. When this setting is enabled per application, then it only applies to an individual Duo-protected service. Subsequent access of the same application will not require 2FA after the first authentication, but if a user accesses a different application protected by the Duo then the user will have to approve a Duo login request again for the second application for the life of that session (the amount of time configured in the policy setting).

When the remembered devices option is enabled for all protected web applications, this creates a trusted session, where any applications to which you apply this policy won't prompt for Duo authentication after a user logs in to one of that set of applications and chooses to remember his or her device. This is especially helpful for users of the Duo Access Gateway. In this scenario, you would create a policy with remembered devices for all applications and then apply that same policy to each DAG-protected SAML application for which you don't want additional 2FA prompts. When a user logs into one of the DAG protected apps with that policy, like Google Apps, and chooses to remember that device, the user isn't prompted for Duo access again when accessing other SAML apps via the Duo Access Gateway with the same remembered devices policy.

Remembered Devices Settings

Operating Systems

The operating systems policy settings allow you to control which operating systems and versions are allowed to access your applications when protected by Duo's browser-based authentication prompt, while also encouraging users running older operating systems to update to the latest version.

The default settings allow access, authentication, and enrollment from browsers on all Duo supported operating systems, mobile platforms, and versions with no warnings. You may block all versions of any of the OS platforms listed in the policy editor. Mac OS X, Windows, iOS, and Android offer more granular options like blocking operating systems below a certain version and warning the user instead of blocking access. Scroll down in the policy editor to see all OS options.

Operating Systems

Enable the "Warn users if their version is below ..." option to show a warning notification during authentication or enrollment from an out-of-date operating system. The user may disregard the warning and continue with authentication. For example, you may choose to warn users with Windows versions "below 8.1". A user accessing your application from a Windows 8 PC sees a warning at the bottom of the Duo prompt. Clicking "Let's update it" provides the user with information on how to update the operating system. Users can proceed past the warning by clicking "Skip".

Operating System Version Warning

Enabling any operating system restrictions block users from completing authentication or new user enrollment from that disallowed OS (or OS version). To continue the previous example, choosing to block (instead of warn) users with Windows versions "below 8.1" prevents authentication or enrollment for any user trying to access your application from a Windows 8 computer. Users can't proceed past the out-of-date software notification.

Operating System Version Blocked

If you select "Block all versions" for "Windows" in the policy editor, then users accessing your application from any version of Windows are blocked.

Operating System Blocked

The Android and iOS mobile platforms can also be restricted to a minimum allowed version or blocked entirely. Blocking any version of a mobile OS platform, e.g. iOS or Android, not only restricts access to resources from browsers on those OS platforms or versions, but also prevents use of Duo Mobile to Duo Push requests or generate usable passcodes on devices running the restricted OS. If you were to block iOS versions "below 9.0" then any users with Apple devices running iOS 8.0 or lower can no longer use Duo Push or app generated passcodes. If a user has other additional activated devices running a different mobile platform, the functionality of the other devices is not affected.

When a mobile device operating system or version is restricted users see a message in the browser-based Duo authentication prompt.

Mobile Platform Blocked

Duo Mobile also notifies the user that the mobile platform or version is not allowed when attempting to approve the Duo Push request.

Mobile Platform Blocked

Passcodes from a hardware token or received via SMS are allowed, as are phone call authentications, but entering a passcode generated by Duo Mobile on any device running the restricted platform results in an error stating that platform is not permitted.

As an example scenario, if you select "Block all versions" for the "Windows Phone" platform then your iOS, Android, and BlackBerry users continue to receive and approve Duo Push requests, and can also authenticate with SMS passcodes, application passcodes, hardware tokens, or over the phone. Your Windows Phone users can only use SMS passcodes to authenticate, approve a login via phone call, or use a hardware token passcode. If you wanted to completely prevent any use of Windows Phone to approve authentications, you'd also need to disable the "Phone callback" and "SMS passcodes" options in the Authentication Methods policy setting. Keep in mind that disabling phone and SMS authentication affects authentication for all users, no matter what mobile OS they use.

Browsers

Enable this feature to inform your users when their web browser is out of date and optionally block access to your Duo-protected resources from clients with older browser versions or an entire browser family. This policy supports Chrome, Edge, Firefox, Internet Explorer, and Safari. The default setting is to allow all versions of all browsers without any notifications.

Browsers

When the "Warn users if their browser is out of date" option is enabled, users authenticating via the Duo authentication prompt see a notification when the web browser version used is older than the current release version. Instructions for updating or a link to the browser vendor's website are provided if applicable. If you have only opted to warn users, they may skip the software update and complete authentication. The out of date notification continues appearing during authentication attempts until the end user updates to the current version.

Outdated Software Notification

You may also choose to block user access when web browsers are out of date and specify a grace period during which users may continue to authenticate with older versions (0 days to one year after the current release).

If you set your policy to block access from out of date browsers, users can skip past the software update warning up until the end of the grace period you specified in the policy. After that, users may not continue to Duo new user enrollment and authentication. Only updating the browser to a current version permits a user to complete Duo authentication or enrollment.

Outdated Software Blocked

Restrict user access from certain web browsers completely by selecting the browser under "Always block".

Blocked Browsers

See Software Update in the user guide for more information.

Plugins

Enable this feature to inform your users when selected plugins are out of date or block access to your Duo-protected resources from clients with outdated plugins (or block a plugin entirely). The default setting is to allow all versions of Flash and Java plugins without any notifications.

Plugins

When the “Warn users" option is enabled, users authenticating via the Duo authentication prompt see a notification when the selected plugins are older than the current release version. If you have only selected to notify users of the outdated software, they may skip the software update and complete authentication. The software update notification continues appearing during authentication attempts until the end user updates the affected plugin.

Outdated Software Notification

You may also choose to block user access when plugins are out of date and specify a grace period during which users may continue to authenticate with older versions (0 days to one year after the current release).

If you set your policy to block access from out of date plugins, users can skip past the software update warning up until the end of the grace period you specified in the policy. After that, users may not continue to Duo new user enrollment and authentication. Only updating the affected plugins permits a user to complete Duo authentication or enrollment.

Outdated Software Blocked

Restrict user access with certain plugins completely by selecting "Block all versions".

Software Blocked

Configure software notifications for either or all of the following plugins:

  • Flash - Checks the version of the Flash plugin used by the current browser and notifies the user if it is out of date. If the standalone Flash player is detected and out of date, a link is provided to the Adobe Flash download site. Flash is built-in to Chrome, Internet Explorer 11 (on Windows 8 and later), and Edge browsers, so the recommended remediation action for outdated Flash in those browsers is to update the browser itself.
  • Java - Checks the version of the Java plugin used by the current browser and notifies the user if it is out of date. A link is provided to the Oracle Java download site.

See Software Update in the user guide for more information.

Networks Policy Settings

Trusted Networks

Many organizations mandate stronger authentication only for untrusted, Internet-originated access to company services. You can specify these trusted networks by IP addresses or CIDR blocks. Users originating from any of the defined trusted networks are not prompted for Duo's two-factor authentication.

To enable trusted networks, select the Allow access without 2FA from these networks: option and specify a block of IP addresses, IP ranges, or CIDRs as a comma-separated list.

By default, Duo prompts users to enroll when logging in from a trusted network when the new user policy is set to require enrollment. To prevent unenrolled users from receiving the Duo enrollment prompt when connecting from a trusted network, uncheck the Require enrollment from these networks setting.

Trusted Networks Settings

Anonymous Networks

Duo can help you monitor and optionally prevent authentication attempts originated from known anonymous IP addresses, such as those provided by TOR and I2P, HTTP/HTTPS proxies, or anonymous VPNs.

  • No action - Permits Duo authentication or bypass from anonymous IP addresses. This is the default policy setting.
  • Require 2FA - Always require two-factor authentication for requests from anonymous IP addresses.
  • Deny access - Prevents all Duo authentication attempts from anonymous IP addresses.

Anonymous Networks Settings

Authenticators Policy Settings

Authentication Methods

Duo offers a variety of ways that users can receive their second authentication factor: one-tap authentication with Duo Push, a passcode sent via SMS, an automated voice call, and so on (see our detailed explanation of all authentication methods). To restrict authentication methods, just deselect the methods you don't want used.

Authentication Methods Settings

For example, you can uncheck the "Phone callback" authentication method. Phone call no longer appears as an option in the authentication prompt.

Authentication Prompt Without Phone

The default setting allows all of Duo's authentication methods. If all methods are deselected, then only bypass codes may be used to authenticate.

Note: Even if Duo Push is disabled, users will still be able to use Duo Mobile to generate a one-time passcode (much as they might with a hardware token). You can prevent users from using the app to generate one-time passcodes by unchecking the Duo Mobile passcodes authentication method.

Duo Mobile App

The Duo Mobile smartphone app is an essential part of most organizations' two-factor deployment. Ensure that your Android and iOS users keep Duo Mobile up to date by enabling the Require up-to-date security patches for Duo Mobile policy setting. This allows Android and iOS authentication from devices Duo Mobile version 3.8 or later while preventing authentication from older Duo Mobile versions.

The default setting allows authentication from Android and iOS devices running any version of Duo Mobile.

Duo Mobile Settings

Tampered Devices

It is possible to gain privileged access to the operating system of a mobile device. This is known as "rooting" on Android, and "jailbreaking" on iOS. Duo can verify whether a device is rooted or jailbroken and prevent authentication from those devices. Duo also utilizes Google's SafetyNet device attestation to identify tampered-with devices. Tampered, rooted, and jalbroken devices may be considered a security risk because they are more vulnerable to exploit by malware and malicious apps.

You can prevent Duo authentication approvals from tampered-with or rooted Android and jailbroken iOS devices by enabling the Don't allow authentication from tampered devices policy setting. This setting has no effect on other mobile platforms.

The default setting allows authentications from all iOS and Android devices.

Tampered Devices Settings

Screen Lock

Enabling screen lock with passcode on iOS or with PIN on Android secures devices by requiring input of a numeric code when turning on your device or unlocking the screen. If the screen is locked when a Duo Mobile push authentication request is received, then the screen must be unlocked before approving the authentication request.

Require your users to set a PIN or passcode on their devices by enabling the Don't allow authentication from devices without a screen lock option in the "Screen Lock" policy. With this option enabled, users must have screen lock enabled on their devices to approve Duo Push authentication requests or log in with a passcode generated by the Duo Mobile app. Users may still approve phone call login requests and use SMS passcodes texted to a device without screen lock. If you wanted to completely prevent authentications from phones without screen lock configured, you'd also need to disable the "Phone callback" and "SMS passcodes" options in the Authentication Methods policy setting.

This setting applies to all supported Android versions (2.2 and up). For iOS devices, this setting is only enforced on version 8 and higher. Devices running iOS 7 and lower can still authenticate without enabling screen lock. To ensure that Apple devices used to authenticate comply with the screen lock requirement, you may change the Operating Systems policy for iOS to "Block users if their version is below 8.0".

The default setting does not require screen lock enabled to approve a Duo authentication request received via push or use a Duo Mobile generated passcode.

Screen Lock Settings

Full-Disk Encryption

Disk encryption protects device data from unauthorized access. Booting an encrypted device requires entering a passcode or PIN at device boot. Apple devices automatically encrypt the filesystem, but on Android devices encryption is enabled by the end user separately after enabling screen lock.

Prevent Duo authentication from Android devices without disk encryption by enabling the Don't allow authentication from devices without full-disk encryption option in the "Full-Disk Encryption" settings. Note that a PIN is required at startup in order for a device's status to show as encrypted.

The default setting does not require full-disk encryption to approve a Duo authentication request from an Android device. This setting has no effect on iOS.

Full-Disk Encryption Settings

Fingerprint

Newer iOS and Android devices can use fingerprint information as a source of authentication. Duo Mobile for iOS and Android can use fingerprint verification to make two-factor authentication even more secure.

In the policy editor, select the Require fingerprint and use the device's passcode as a fallback option to require fingerprint approval for Duo Push from supported devices. Use of Duo Mobile generated or SMS passcodes is unaffected, as is authentication via phone call.

This setting requires Duo Mobile app versions 3.7 or above for iOS and version 3.10 or above for Android and minimum OS versions iOS 8 or Android 5.0 Lollipop. Devices running earlier versions of Duo Mobile, iOS, and Android can not authenticate without fingerprint verification when you enable this policy setting.

Requiring fingerprint verification changes the Duo Push workflow. Users may no longer approve an authentication request from the app notification. Tapping the Duo notification opens the Duo Mobile app. After you tap "Approve" on the authentication request, scan your enrolled finger at the Touch ID or Android PIN prompt to confirm the authentication approval. If you are unable to authenticate with your fingerprint you can fall back to your device's passcode.

The default setting does not require fingerprint verification to approve a Duo Push authentication request from any device. All Duo Mobile, Android, and iOS versions may authenticate (subject to any other version restriction policy settings you may configure).

Fingerprint Settings

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free