Admins can make Duo's authentication protection even easier for users while maintaining good security practices throughout their organization with the Remembered Devices and Authorized Networks features.
We have a mantra at Duo -- The less your users see of us, the better.
We strive to provide strong authentication for your users while maintaining a seamless, non-disruptive login experience. We've introduced two features that increase convenience for your users and give admins fine-grained control over when users are prompted for two-factor authentication. These features are Remembered Devices and Authorized Networks.
Duo's remembered devices feature is similar to the "remember my computer" or "keep me logged in" options users are accustomed to seeing during primary authentication on many websites. With the remembered devices feature enabled, the user is offered a “Remember me for ...” checkbox during login. When users check this box, they aren't challenged for secondary authentication again when they log in to that application from that device for the specified period of time.
When this setting is enabled per application, then it only applies to an individual Duo-protected service. Subsequent access of the same application will not require 2FA after the first authentication, but if a user accesses a different application protected by the Duo then the user will have to approve a Duo login request again for the second application for the life of that session (the amount of time configured in the policy setting).
When the remembered devices option is enabled for all protected web applications, this creates a trusted session for that user, client browser, and endpoint, where any login to an application with this setting enabled won't prompt for Duo authentication if a user logged into that or any other applications with the same remembered device policy setting and chooses to remember their device.
Remembered devices are currently supported in our web-based applications (e.g. SSL VPNs, Outlook Web Access, Shibboleth, WordPress, etc.). You can choose to allow users this option for some applications while still always requiring secondary authentication for critical services.
Customers with the Duo MFA, Duo Access, or Duo Beyond plan can use the policy editor to change the "Remembered Devices" policy setting globally or for specific applications. These plan customers can also apply a shared remembered devices policy across multiple applications.
See the Policy & Control Remembered Devices documentation for more information and instructions for applying Remembered Devices policy settings.
Many organizations mandate stronger authentication only for untrusted, Internet-originated access to company services. For example, you may want to enforce two-factor authentication on your VPN endpoint for remote employees, while allowing local employees plugged in via an 802.1x-authenticated wired ports to access internal resources without a two-factor challenge.
A Duo administrator can specify these authorized networks by IP addresses or CIDR blocks. Users originating from any of the defined authorized networks bypass Duo two-factor authentication.
Customers with the Duo MFA, Duo Access, or Duo Beyond plan can use the policy editor to change the "Authorized Networks" policy setting globally or for specific applications or groups of users. Duo Access and Duo Beyond customers may additionally enforce 2FA for specified networks or block access from all unknown networks.
See the Policy & Control Authorized Networks documentation for more information and instructions for configuring the enhanced authorized networks policy.