Admins can make Duo's authentication protection even easier for users while maintaining good security practices throughout their organization with the Remembered Devices and Authorized Networks features.
We strive to provide strong authentication for your users while maintaining a seamless, non-disruptive login experience. We offer features that increase convenience for your users and give admins fine-grained control over when users are prompted for two-factor authentication. These features are Remembered Devices, Risk-Based Remembered Devices, and Authorized Networks.
Duo's remembered devices feature is similar to the "remember my computer" or "keep me logged in" options users are accustomed to seeing during primary authentication on many websites. With the remembered devices feature enabled, the user is offered a "Remember me for ..." checkbox or "Trust this browser" option during login. When users check this box, they aren't challenged for secondary authentication again when they log in to that application from that device for the specified period of time.
Customers with the Duo Essentials, Duo Advantage, or Duo Premier plan can use the policy editor to change the "Remembered Devices" policy setting globally or for specific applications. These plan customers can also apply a shared remembered devices policy across multiple applications.
See the Policy & Control Remembered Devices documentation for more information and instructions for applying Remembered Devices policy settings.
When this setting is enabled "for each application", then it only applies to an individual Duo-protected service. Subsequent access of the same application will not require 2FA after the first authentication, but if a user accesses a different application protected by the Duo then the user will have to approve a Duo login request again for the second application for the life of that session (the amount of time configured in the policy setting).
When the remembered devices option is enabled for "any application", this creates a trusted session for that user, client browser, and endpoint, where any login to an application with this setting enabled won't prompt for Duo authentication if a user logged into that or any other applications with the same remembered device policy setting and chooses to remember their device.
Remembered devices are currently supported in our browser-based applications (e.g. SSL VPNs, Outlook Web Access, Shibboleth, WordPress, etc.). You can choose to allow users this option for some applications while still always requiring secondary authentication for critical services.
Risk-Based Remembered Devices adds additional security to the existing Duo Remembered Devices functionality to ensure improved security of physical access endpoints against lost or stolen devices and enable longer remembered device sessions. With Risk-Based Remembered Devices, establishing the remembered device session is automatic with no prompt to the user. Once the remembered device session is established, Duo looks for anomalous IP addresses or changes to a device throughout the lifetime of the remembered device session and requires a new session if it observes that change from historical baselines.
Learn more about Duo's Risk-Based Authentication offering.
Trusted login sessions using the Remembered Devices policy setting is available with Duo Authentication for Windows Logon version 4.2.0 and later.
When a user logs into Windows at the local workstation or server console and checks the "Remember me" box during Duo authentication, it creates a trusted session for that user on that host with that IP address after successful Duo authentication. Duo won't prompt for authentication again when the user locks and unlocks the workstation, or for credentialed UAC elevation by that user, for the duration specified in the policy setting.
Many organizations mandate stronger authentication only for untrusted, Internet-originated access to company services. For example, you may want to enforce two-factor authentication on your VPN endpoint for remote employees, while allowing local employees plugged in via an 802.1x-authenticated wired ports to access internal resources without a two-factor challenge.
A Duo administrator can specify these authorized networks by IP addresses or CIDR blocks. Users originating from any of the defined authorized networks bypass Duo two-factor authentication.
Customers with the Duo Essentials, Duo Advantage, or Duo Premier plan can use the policy editor to change the "Authorized Networks" policy setting globally or for specific applications or groups of users. Duo Advantage and Duo Premier customers may additionally enforce 2FA for specified networks or block access from all unknown networks.
See the Policy & Control Authorized Networks documentation for more information and instructions for configuring the enhanced authorized networks policy.