Skip navigation
Documentation

Using Remembered Devices & Authorized Networks Controls

Contents

Admins can make Duo's authentication protection even easier for users while maintaining good security practices throughout their organization with the Remembered Devices and Authorized Networks features.

Overview

We have a mantra at Duo -- The less your users see of us, the better.

We strive to provide strong authentication for your users while maintaining a seamless, non-disruptive login experience. We've introduced two features that increase convenience for your users and give admins fine-grained control over when users are prompted for two-factor authentication. These features are Remembered Devices and Authorized Networks.

Configuring Remembered Devices

Duo's remembered devices feature is similar to the "remember my computer" or "keep me logged in" options users are accustomed to seeing during primary authentication on many websites. With the remembered devices feature enabled, the user is offered a “Remember me for ...” checkbox during login. When users check this box, they aren't challenged for secondary authentication again when they log in to that application from that device for the specified period of time.

Remembered devices are managed separately for each application in the Duo MFA Edition, and are currently supported in our web-based applications (e.g. SSL VPNs, Outlook Web Access, Shibboleth, WordPress, etc.). You can choose to allow users this option for some applications while still always requiring secondary authentication for critical services.

If you're on the Duo MFA, Duo Access, or Duo Beyond plan, use the policy editor to change the "Remembered Devices" policy setting globally or for specific applications. These plan customers can also apply a shared remembered devices policy across multiple applications. See the Policy & Control Remembered Devices documentation for more information.

Role required: Owner, Administrator, or Application Manager.

To enable remembered devices:

  1. Log in to the Duo Admin Panel and either click Policies on the left or locate an application to which you want to apply a remembered devices policy.

  2. You can either edit the "Global Policy" (which applies to all applications), or create a new policy to change options just for certain applications. Click either the Edit Global Policy, Apply a policy to groups of users (Duo Beyond and Duo Access plans only), or Apply a policy to all users buttons to launch the policy editor.

  3. Once in the policy editor, click the Remembered Devices policy setting on the left side of the editor. Select the Users may choose to remember their device for _ days option and enter the desired number of days or hours — up to 365 days — in the space provided (the default is 30 days), and then choose whether to apply the policy Per each application or For all protected web applications.

    Remembered Devices Settings

  4. Click Save Policy when done (if you're creating a new application policy be sure to give it a name before saving).

Configuring Authorized Networks

Many organizations mandate stronger authentication only for untrusted, Internet-originated access to company services. For example, you may want to enforce two-factor authentication on your VPN endpoint for remote employees, while allowing local employees plugged in via an 802.1x-authenticated wired ports to access internal resources without a two-factor challenge.

A Duo administrator can specify these authorized networks by IP addresses or CIDR blocks. Users originating from any of the defined authorized networks bypass Duo two-factor authentication.

If you're on Duo's MFA, Access, or Beyond editions, use the policy editor to change the "Authorized Networks" policy setting globally or for specific applications. Duo Access and Duo Beyond customers may additionally enforce 2FA for specified networks or block access from all unknown networks, and apply the Authorized Networks policy to groups of users. See the Policy & Control Authorized Networks documentation for more information about configuring the enhanced authorized networks policy.

Role required: Owner, Administrator, or Application Manager.

To configure Authorized Networks:

  1. Log in to the Duo Admin Panel and either click Policies on the left or locate an application to which you want to apply a remembered devices policy.

  2. You can either edit the "Global Policy" (which applies to all applications), or create a new policy to change options just for certain applications. Click either the Edit Global Policy, Apply a policy to groups of users (Duo Beyond and Duo Access plans only), or Apply a policy to all users buttons to launch the policy editor.

  3. Once in the policy editor, click the Authorized Networks policy setting on the left side of the editor. Enter a block of IP addresses, IP ranges, or CIDRs as a comma-separated list under Allow access without 2FA from these networks:.

    By default, users are prompted to enroll in Duo when logging in from an authorized network when your application's new user policy is set to require enrollment. To prevent unenrolled users from receiving the Duo enrollment prompt when connecting from an authorized network, uncheck the Require enrollment from these networks setting.

    MFA Plan Authorized Networks Settings

    Duo Access and Duo Beyond customers also have the Require 2FA from these networks and Deny access from all other networks configuration options. Learn more about these options in our Policy documentation for Authorized Networks.

    Enhanced Authorized Networks Settings

  4. Click Save Policy when done (if you're creating a new application policy be sure to give it a name before saving).

If you don't see the Global Policy option in the Policy section you can still configure remembered devices for this application. Scroll down the page to the Policy section and find the Authorized Network setting. There you can check the Don’t require two-factor authentication for logins from the following IPs: box and specify a block of IP addresses, IP ranges, or CIDRs as a comma-separated list.

Authorized Networks

By default, users are prompted to enroll in Duo when logging in from an authorized network when your application's new user policy is set to require enrollment. To prevent unenrolled users from receiving the Duo enrollment prompt when connecting from an authorized network, uncheck the Require enrollment from these networks setting.

When you are finished, scroll to the bottom of the page and click the Save Changes button.

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free