Skip navigation
Documentation

Using Remembered Devices & Authorized Networks Controls

Contents

Admins can make Duo's authentication protection even easier for users while maintaining good security practices throughout their organization with the Remembered Devices and Authorized Networks features.

Overview

We have a mantra at Duo -- The less your users see of us, the better.

We strive to provide strong authentication for your users while maintaining a seamless, non-disruptive login experience. We've introduced two features that increase convenience for your users and give admins fine-grained control over when users are prompted for two-factor authentication. These features are Remembered Devices and Authorized Networks.

Configuring Remembered Devices

Duo's remembered devices feature is similar to the "remember my computer" or "keep me logged in" options users are accustomed to seeing during primary authentication on many websites. With the remembered devices feature enabled, the user is offered a “Remember me for ...” checkbox during login. When users check this box, they aren't challenged for secondary authentication again when they log in to that application from that device for the specified period of time.

Remembered devices are managed separately for each application in the Duo MFA Edition, and are currently supported in our web-based applications (e.g. SSL VPNs, Outlook Web Access, Shibboleth, WordPress, etc.). You can choose to allow users this option for some applications while still always requiring secondary authentication for critical services.

If you're on the Duo Access or Duo Beyond plan, use the policy editor to change the "Remembered Devices" policy setting globally or for specific applications and users. See the Policy & Control documentation for more information.

Role required: Owner, Administrator, or Application Manager.

To enable remembered devices:

  1. Log in to the Duo Admin Panel and click Applications in the left sidebar.

  2. Select an application by clicking on its name. This will take you to the properties page for that application.

  3. Scroll down the page to the Policy section and find the Remembered devices setting. Click the check box next to Allow users to remember their device for _ days and enter the desired number of days or hours — up to 365 days — in the space provided (the default is 30 days).

    Remembered Devices

  4. Scroll to the bottom of the page and click the Save Changes button when you are done.

Configuring Authorized Networks

Many organizations mandate stronger authentication only for untrusted, Internet-originated access to company services. For example, you may want to enforce two-factor authentication on your VPN endpoint for remote employees, while allowing local employees plugged in via an 802.1x-authenticated wired ports to access internal resources without a two-factor challenge.

A Duo administrator can specify these authorized networks by IP addresses or CIDR blocks. Users originating from any of the defined authorized networks are not prompted for Duo's two-factor authentication.

If you're on Duo's Duo Access or Duo Beyond plans, use the policy editor to change the "Authorized Networks" policy setting globally or for specific applications and users. See the Policy & Control documentation for more information.

Role required: Owner, Administrator, or Application Manager.

To configure Authorized Networks:

  1. Log in to the Duo Admin Panel and click Applications in the left sidebar.

  2. Select an application by clicking on its name. This will take you to the properties page for that application.

  3. Scroll down the page to the Policy section and find the Authorized Networks setting. There you can check the Don’t require two-factor authentication for logins from the following IPs: box and specify a block of IP addresses, IP ranges, or CIDRs as a comma-separated list.

    Authorized Networks

    By default, users are prompted to enroll in Duo when logging in from an authorized network when your application's new user policy is set to require enrollment. To prevent unenrolled users from receiving the Duo enrollment prompt when connecting from an authorized network, uncheck the Require enrollment from these networks setting.

  4. When you are finished, be sure to scroll to the bottom of the page and click the Save Changes button.

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free