Contents
Support for the traditional Duo Prompt experience and Duo Prompt delivery via iframe ended on March 30, 2024 for most applications. Review this document carefully as you plan your migration to Universal Prompt solutions or alternate configurations.
Introducing the Universal Prompt
Duo's next-generation authentication experience, the Universal Prompt, provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.
Duo Central with Duo Single Sign-on and automatic Duo Push in Universal PromptRefresh to play again
Duo Universal Prompt is generally available for in-scope applications that display the Duo traditional prompt today in browsers and select thick-client applications that use single sign-on. See the Universal Prompt availability and migration status for all applications Universal Prompt Update Progress report in the Duo Admin Panel.
| Universal Prompt | Traditional Prompt |
 |
 |
Future updates to the Universal Prompt will extend the new experience to endpoint remediation and management verification functionality.
Learn more about the design process for the Universal Prompt on the Duo Blog.
Your complete migration from traditional Duo prompt to Universal Prompt for a given application will be a three-step process:
-
Update the application to support the Universal Prompt. This may involve installing a software upgrade provided by Duo or one of our technology partners on your application server, or making a configuration change in the admin console of a cloud-hosted application where you use Duo.
Duo and our partners are working to make more application updates available.
-
Authenticate with Duo 2FA using the updated application so that Duo makes the Universal Prompt activation setting available in the Admin Panel.
-
From the Duo Admin Panel, enable the Universal Prompt experience for users of that application after the application has been updated with Universal Prompt support.
Watch the Duo Blog for future updates about the Duo Universal Prompt.
Traditional Prompt End of Support
Effective March 30, 2024 Duo no longer supports the traditional Duo Prompt for most applications.
Duo is ending support for the traditional Duo Prompt so we can focus on developing new features and functionality of the Duo Universal Prompt.
As of March 30, 2024:
- Traditional Duo Prompt configurations continue to work for two-factor authentication.
- Application configurations that depend on the iframe-based traditional prompt for authentication are no longer supported.
- Users on Duo Free, Essentials, Advantage, and Premier editions must perform two-factor authentication with the Universal Prompt to receive support from Duo.
- Applications granted extended support remain functional and eligible for troubleshooting.
- Duo teams no longer troubleshoot issues with the traditional Duo Prompt, unless authentications are blocked or an application-specific support extension exists.
If you create new Duo web applications which feature the traditional Duo Prompt in an iframe after April 2024, and the application does not have extended support from Duo, users of your application will receive a setup error during authentication instead of the Duo authentication prompt.
If the application in question is provided by a third-party software vendor who has yet to update it with Universal Prompt support, please contact Duo Support.
The following applications explicitly named in the Duo Admin Panel reached the end of extended support for the traditional Duo Prompt in an iframe on September 30, 2024:
The extended support period for NetScaler (formerly known as Citrix Gateway) with RADIUS iframe and traditional Duo Prompt ended on December 31, 2024.
The extended support period for Splunk (on-premises) with the iframe traditional Duo Prompt ends March 30, 2025.
Refer to Duo KB article 8694 for the full list of applications with extended support.
Consult the Universal Prompt Progress report to determine the readiness status for affected applications. The "End of Support" filter on the Duo Admin Panel's "Applications" page does not provide end-of-life alerting for iframe-based traditional Duo Prompt applications at this time.
Review the Universal Prompt Application Scope information in this document to learn more about migration options for your affected applications.
Universal Prompt Feature Support
-
Trusted Endpoints now supports the Universal Prompt. Traditional Prompt for Trusted Endpoints will be phased out on March 6th, 2025, which will transition all applications using Universal Prompt or traditional Duo Prompt in a redirect to the Trusted Endpoint Universal Prompt experience. No action is needed for this change.
-
Two-factor authentication in an interactive, browser-based prompt. Universal Prompt User Guide
-
Duo Push, Duo Mobile passcodes, phone callback, SMS passcodes, WebAuthn platform and roaming authenticators, and hardware token authentication methods, as well as bypass codes. Universal Prompt User Guide: Login Options
-
Self-enrollment for new users performing first-time Duo enrollment from an application with Universal Prompt activated. Universal Prompt User Guide: First-time Enrollment
Customers who signed up for Duo before July 2022: Emailed enrollment links will still fall back to the traditional prompt experience unless you update your enrollment experience global setting to select Show new Universal Prompt.
-
Self-service device management permitting previously enrolled users to add a new device or manage existing devices while logging in to a Duo-protected application. Universal Prompt User Guide: Device Management
-
All Duo Essentials edition features and policies: New User Policy, Authentication Policy, Remembered Devices, and Authorized Networks, Authentication Methods.
-
Trusted endpoints verification on desktop operating systems.
-
Duo Advantage edition endpoint policies: operating system, browser, or plugin device remediation policies.
-
Enhanced localization and language support. The end-user's browser language settings determine the language shown in the prompt and used for Duo Mobile activation, and SMS passcode text messages. No extra language configuration steps are necessary for Duo administrators or users. Administrators may also configure translated custom help desk messages in User Communication settings. The "Language" setting selected in the Admin Panel has no effect on the language shown in the Universal Prompt.
-
English, Spanish (Latin America), Spanish (Spain), French, German, and Japanese: When these languages are used in the Universal Prompt, phone callback authentication will also use the same language.
-
Catalan, Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, Finnish, Hindi, Indonesian, Italian, Korean, Norwegian, Polish, Portuguese (Brazil), Portuguese (Portugal), Swedish, Thai, Turkish, and Vietnamese: When these languages are used in the Universal Prompt, phone callback authentication remains in English.
-
-
Expanded custom branding which permits customization of the Universal Prompt background image and color bar in addition to the existing customization settings for company logo and hiding the Duo branding line.
Browser Support
The Universal Prompt supports Chrome (Desktop and Mobile), Firefox, Safari (Desktop and Mobile), Edge, and Internet Explorer. Not all browsers support all Duo authentication methods, so for the widest compatibility we recommend Chrome.
Check the table below for supported browser versions and Duo login option compatibility. Platform and roaming authenticators may require a different browser or a newer minimum browser version; please refer to WebAuthn Browser Support. Duo's support for the minimum browser version includes Duo Push, passcode, and phone call authentication options.
| Browser | Minimum Supported Version |
|---|---|
| 38 | |
| 9 | |
| 47 | |
| 17 | |
| 11 |
While other browsers may work with the Universal Prompt, we actively test and support the browsers and minimum versions listed in the table.
When you log in, Duo checks your current browser or client compatibility with the Universal Prompt. If your browser or client is not compatible, Duo will show you the traditional prompt experience instead.
Verified Duo Push is not supported in the traditional Duo Prompt. If a user's login attempt requires verified Duo Push due to your effective authentication methods policy or the user being in a step-up scenario as determined by Risk-Based Factor Selection, but the user's browser does not support Universal Prompt, the fallback to traditional Duo Prompt will not require Duo Push verification with a numeric code.
Ensure your users have access to supported, up-to-date browsers to avoid this fallback scenario.
WebAuthn Browser Support
Check the tables below for supported browser versions for platform authenticators (like Touch ID, Face ID, Windows Hello, or Android biometrics) and roaming authenticators (like security keys). While other browsers may work, Duo actively tests and supports the browser minimum versions listed in the tables.
Windows 10 and Later
| Browser | Minimum Supported Version | Platform Authenticator | Roaming Authenticator (Security Keys) |
|---|---|---|---|
| Edge | 79 | Yes 1 | Yes |
| Chrome | 73 | Yes1 2 | Yes |
| Firefox | 66 | Yes | Yes |
-
Windows Hello not supported in Chrome Incognito or Edge InPrivate browsing sessions.
-
Use of passkeys as platform authenticators requires Windows 11 and Chrome 108 or later.
macOS 11 and Later
You must sign in with the same iCloud account and enable iCloud Keychain sync on all the Apple devices you plan to use with Duo and passkeys. See the iCloud documentation for instructions specific to your device types:
| Browser | Minimum Supported Version | Platform Authenticator | Roaming Authenticator (Security Keys) |
|---|---|---|---|
| Safari | 14 | Yes 1 | Yes |
| Chrome | 70 | Yes1 | Yes |
| Firefox | 114 | Yes 2 | Yes 3 |
-
Use of passkeys as platform authenticators requires macOS 13 and Safari or Chrome 108.
-
Firefox 122 or later is required for platform authenticators.
-
For Duo Passwordless, Firefox on macOS cannot prompt to create a security key's PIN. Security keys that already have a PIN set can be used to authenticate in Firefox.
iOS/iPadOS 15.0 and Later
You must sign in with the same iCloud account and enable iCloud Keychain sync on all the Apple devices you plan to use with Duo and passkeys. See the iCloud documentation for instructions specific to your device types:
| Browser | Minimum Supported Version | Platform Authenticator | Roaming Authenticator (Security Keys) |
|---|---|---|---|
| Safari | 14.5 | Yes 1 | Yes |
| Chrome | 95 | Yes1 | Yes |
| Edge | 95 | Yes 1 | Yes |
| Firefox | 68 | Yes 1 | Yes |
- Use of passkeys as platform authenticators requires iOS 16+ or iPadOS 16+.
Android 11 and Later
| Browser | Minimum Supported Version | Platform Authenticator | Roaming Authenticator (Security Keys) |
|---|---|---|---|
| Chrome | 95 | Yes 1 | Yes 2 |
| Firefox | 68 | Yes 3 | No 4 |
-
Passkey support with Google Password Manager.
-
Chrome on Android 11 cannot prompt for the security key's PIN to fulfill the passwordless user verification requirement.
-
Firefox on Android 11 does not support Android biometric enrollment.
-
Firefox on Android cannot prompt for the security key's PIN to fulfill the passwordless user verification requirement.
Linux
Linux has no supported platform authenticators.
| Browser | Minimum Supported Version | Platform Authenticator | Roaming Authenticator (Security Keys) |
|---|---|---|---|
| Chrome | 73 | No | Yes |
| Edge | 79 | No | Yes |
| Firefox | 114 | No | Yes |
ChromeOS 108 and Later
| Browser | Minimum Supported Version | Platform Authenticator | Roaming Authenticator (Security Keys) |
|---|---|---|---|
| Chrome | 108 | Yes | Yes |
Changes to Support the Universal Prompt
We've made some underlying changes to support the Universal Prompt user experience.
Move Away from Iframes
Duo delivers the traditional prompt via an inline frame (or "iframe") using our v2 Web SDK, which means that the Duo Prompt web content is embedded within a web page hosted by the protected application.
Duo Traditional Prompt in an iframe
When planning for the Universal Prompt it soon became apparent that switching from use of inline frames to a "frameless" approach, derived from OIDC standards, would provide enhanced stability and compatibility across our web application integrations, and lay a foundation for future improvements to Duo authentication and device trust.
The most obvious difference between traditional iframe Duo 2FA applications and updated frameless Duo 2FA applications is that instead of showing the Duo Prompt within a page hosted by the application, the application will instead redirect to a page hosted by Duo at duosecurity.com to show the Duo Prompt, and then redirect back to the protected application after the user completes two-factor authentication. The redirect page shows either the Universal Prompt or the traditional prompt; dependent on the Universal Prompt activation status for that application.
Duo Universal Prompt in a Redirect
Duo Traditional Prompt in a Redirect
To achieve the "iframe to frameless" migration, we've updated the Duo Web SDK with this new technical design as version 4.0, and have begun using this updated v4 SDK to bring the Universal Prompt to Duo's own web application integrations such as 2FA for Confluence, Duo Single Sign-On apps, and Duo Network Gateway, to name just a few.
Customers and technical partners should make use of the Duo Web v4 SDK and OIDC standards-based API today to begin the process of updating developed Duo integrations to support the Universal Prompt.
Duo Prompt UI Support per Delivery Method
| OIDC Redirect (Web SDK v4) | Iframe (Web SDK v2) | |
|---|---|---|
Universal Prompt |
YES |
NO |
Traditional Prompt |
YES |
YES |
Read more about the new developer tooling supporting the Universal Prompt on the Duo Blog.
Renamed Application Fields
Each Duo application you create has a unique identifier and an associated key used to sign or verify the two-factor authentication request. These are called the "Integration Key" or ikey and the "Secret key" or skey.
We've relabeled these two pieces of application information to better align with the OAuth 2.0 specification. These values are now known as the "Client ID" or client_id and the "Client secret" or client_secret for applications that support Universal Prompt.
The names may have changed, but the values for any existing integrations remain the same.
Changes to the User Experience
Beyond the visual refresh of Duo's login prompt and the change from interacting with Duo via a redirect to a new page instead of within an iframe, the Universal Prompt makes some key changes to how users complete two-factor authentication.
Refer to the Universal Prompt End User Guide to learn more about the login experience for users.
Automatic Device Selection
The first time a user accesses the Universal Prompt for a given application, Duo evaluates the supported authentication methods for that type of application, the effective authentication methods policy for that application, and the access device platform used, and then automatically selects the most secure authentication option available to the user according to this ordered preference:
Duo authentication methods ordered from most to least secure for computer logins:
- Platform Authenticators
- Roaming Authenticators
- Verified Duo Push
- Duo Mobile push approval
- Duo Desktop authentication
- YubiKey passcodes
- Duo Mobile generated passcodes
- Hardware token passcodes
- SMS passcodes
- Phone call approval
Duo authentication methods ordered from most to least secure for mobile device logins:
- Verified Duo Push
- Duo Mobile push approval
- Duo Mobile generated passcodes
- SMS passcodes
- Phone call approval
- Hardware token passcodes
- Platform authenticators
- Roaming authenticators
- YubiKey passcodes
If a user wants to try a different method than the one selected for them, clicking or tapping Other options in the Universal Prompt shows a list of the user's available authentication methods, subject to the effective authentication methods policy for that application and any platform limitations.
Automatic device selection can be disabled for an individual user by changing the authentication experience setting.
Last Used Method
When a user successfully logs in to a Duo-protected application, the Universal Prompt remembers the authentication method used and defaults to that method for future logins to that application. If a user wants to try a different method then the one used last, clicking Other options in the Universal Prompt shows a list of the user's available authentication methods, subject to the effective authentication methods policy for that application.
Duo will not default to the last method used if the authentication experience setting for a user is set to disable automatic selection of authentication methods.
The traditional prompt does not remember the last used device, showing all available authentication methods for the user.
Device Filtering
The list of authentication methods includes a drop-down filter when a user has seven or more devices. Users can select the device they want to use and then choose an authentication method. Authentication methods not tied to a device, like passkeys, will only be displayed in the unfiltered list.
Automatic Duo Push
If Duo Push authentication is explicitly selected by a user, or automatically selected on behalf of the user during a first-time authentication, then Duo sends the push notification to the user's activated device. If you've enabled Duo Push verification then the Universal prompt displays the code for the user to enter while approving the Duo Push request.
During future authentications by that user to that application, Duo Push continues to send the push to the user automatically.
Automatic Duo Push can be disabled if the authentication experience setting for a user is set to disable automatic selection of authentication methods.
In the traditional prompt a user clicks the Send Me a Push button upon landing on the prompt, or the user may have opted to configure Duo Push as an automatic authentication option when they enrolled that device.
Authentication Options List
The Universal Prompt's list of authentication options (shown when a user clicks "Other options" in the prompt) separates out different methods for a single device into individual selections, and shows the available options for all devices in a single list, with the more secure authenticator options listed first (i.e. fingerprint sensor ahead of phone call, etc.).
If the application or group policy prevents use of any authentication methods, the authentication options list shows only those methods permitted for use by the effective policy i.e. if the effective policy disallows phone call and SMS passcodes then the options shown by Universal Prompt would not include "Call phone" and "Send text message passcode".
The traditional prompt displays the available authentication methods for a single device at a time. If a user has more than one device enrolled (i.e. two phones activated for Duo Push, or a phone and Touch ID), the user would first need to use the device selector to choose from their enrolled devices, and then make the second choice of which authentication method to use with the selected device.
SMS Passcodes
When a user selects text message passcode in the Universal Prompt, they no longer need to request a new passcode as a separate step. A passcode is sent automatically for the user to enter. Universal Prompt supports automatic fill of the passcode received when authenticating from a mobile device in the United States and Canada.
If your users need to authenticate in the Universal Prompt when they do not have cell or data service available for their phones, we recommend they activate Duo Mobile on their phone and use it to generate a passcode while offline, or to use a hardware token or security key.
SMS Passcode Batch
If a user clicks the text message passcode option in the list then the Universal Prompt immediately generates and sends an SMS message with a single passcode, regardless of what you have configured in the SMS batch size setting.
Remembered Devices
If a remembered devices policy is in effect for an application, the Universal Prompt shows the initial "Is this your device?" option to the user after they complete two-factor application approval. The user chooses whether to remember this browser on your device, and then continues to the application. If the user clicks No, other people use this device, they will not be asked to remember that browser on this device again for 14 days.
Opting to remember this browser on your device sets a cookie which allows bypassing two-factor authentication from that browser for as long as the remembered device session cookie remains valid. Depending on how you configured your remembered devices policy, the user may bypass two-factor authentication for that one application, or multiple applications.
When the remembered device cookie expires, the Duo two-factor authentication prompt for that application shows Remember me as an enabled option on the Duo Push, phone call, text message, and passcode authentication screens. Users can uncheck the box before completing Duo authentication to log in without remembering the browser on this device, or leave it enabled to set a new remembered device cookie for the application.
When using a WebAuthn method like Touch ID or a security key after the remembered device cookie expires, users who want to log in without creating a new remembered device session need to cancel the authentication in process to see the Remember me option, and then try the authentication again after unchecking the box.
If the application has no remembered device policy applied the Universal Prompt does not offer to remember the device, and proceeds directly to the application after 2FA success.
The traditional prompt shows the "Remember me..." option in the two-factor prompt before the user completes authentication, and does not show the option if the application has no remembered devices policy.
U2F Support
Universal Prompt drops support for U2F, so security keys must support WebAuthn authentication standards.
If users with combination U2F/WebAuthn security keys did not previously update their U2F key enrollment to WebAuthn in Duo's traditional prompt, those security keys will not be offered as authentication options by the Universal Prompt. These users will be able to enroll the U2F security key as a new WebAuthn security key in the Universal Prompt.
User verification with PIN or biometric for roaming authenticators requires a FIDO2 compatible security key. If you require user verification in your authentication methods policy be sure to make another authentication method available to users who have U2F security keys.
Expanded WebAuthn Authenticator Support
The universal prompt supports platform authenticators from multiple vendors:
- Windows Hello on compatible Windows devices.
- Touch ID on compatible macOS devices.
- Face ID or Touch ID on compatible iOS and iPadOS devices.
- Android Biometrics, such as Pixel fingerprint or facial recognition, or Samsung fingerprint or facial recognition.
Duo Desktop Authentication
The Duo Universal Prompt supports using Duo Desktop as an authentication method. When authenticating, users will be prompted by Duo Desktop to approve or deny an authentication attempt. See Duo Desktop authentication for more information.
Universal Prompt Application Scope
As mentioned, Duo's Universal Prompt supports applications that show the traditional Duo Prompt and device management as a web page today, but with some exceptions.
If you don't see your application listed below, please contact us to discuss your use case.
Migration from your current in-scope and out-of-scope applications to Universal Prompt solutions or alternate configurations should be completed prior to the traditional Duo Prompt end of support on March 30, 2024 or the extended support date for your specific applications, if one exists.
In-Scope Applications
These applications are eligible for upgrade to the Duo Universal Prompt.
As Universal Prompt support becomes available for these in-scope applications, you'll find links to the application update instructions here. Update instructions are also linked from the Universal Prompt section of an eligible application's page in the Duo Admin Panel.
The application names listed below match the "type" information for the applications shown in the Duo Admin Panel. The "Admin API Type" information is the type attribute value as returned by the Duo Admin API Retrieve Integrations endpoint.
Applications Owned by Duo
Duo-owned applications are delivered as setup packages downloaded from duosecurity.com for installation on your on-premises applications, or are built into cloud applications hosted by Duo.
Universal Prompt update information for traditional Duo Prompt applications created and maintained by Duo:
| Traditional Duo Prompt Application | Admin API Type | Universal Prompt Solution |
|---|---|---|
N/A |
Duo Single Sign-On includes Universal Prompt support; no update required. |
|
|
Upgrade Duo Network Gateway to 3.2.0 or later, which automatically enables frameless authentication for each of your Duo Network Gateway Web, SSH, and RDP applications. |
|
|
Duo Web SDK v4 Python, Java, Go, NodeJS, PHP,and C# client libraries for adding Duo Prompt to your applications. These clients support both the "Web SDK" and "Partner Web SDK" applications. Update your custom-developed existing Web SDK v2 applications to use Web SDK v4. If you did not develop the application, contact the vendor who did to find out how to update the application. If you aren't sure how to proceed, contact us. |
|
|
An alternate solution is to use Duo OIDC standards-based Auth API for adding the Duo Universal Prompt using OIDC to your application in any language. Supported by both the "Web SDK" and "Partner Web SDK" applications. Update your custom-developed existing Web SDK v2 applications to use this API if no Web SDK v4 client is available in your required language. If you did not develop the application, contact the vendor who did to find out how to update the application. If you aren't sure how to proceed, contact us. |
|
|
Duo has updated the Device Management Portal application with Universal Prompt support. You will need to update your on-premises Duo Device Management applications to use Duo Web SDK v4 or the Duo OIDC standards-based Auth API before enabling the Duo Universal Prompt device management experience. Device management is an integral component of the user experience, so we've also delivered a new cloud-hosted, self-service management portal with Duo Universal Prompt. Duo Single Sign-On customers can enable this self-service portal in Duo Central to provide device management access to users outside of authentication to a protected application. |
|
Confluence |
|
Please note that Duo ended support for on-premises Confluence Server on February 14, 2024. We recommend migrating to Atlassian Cloud with Duo SSO. |
Jira |
|
Please note that Duo ended support for on-premises Jira Server on February 14, 2024. We recommend migrating to Atlassian Cloud with Duo SSO. |
|
Upgrade from the Duo OAM v1 plugin to the Duo OAM v2 plugin. |
|
|
Upgrade from the Duo AD FS v1 plugin to the Duo AD FS v2 plugin. |
|
|
Duo's custom control for Microsoft Entra ID includes Universal Prompt support; no update required. |
|
|
Duo's external authentication method for Microsoft Entra ID includes Universal Prompt support; no update required. |
|
|
Upgrade from the Duo for Microsoft OWA v1.x application to the Duo for Microsoft OWA v2.0.0 or later application. |
|
|
Upgrade from the Duo for RD Web v2.x application to the Duo for RD Web v3.0.0 or later application. |
|
|
Migrate from the legacy Duo WordPress plugin to the Duo Universal v1.0.0 or later plugin. |
Partner Applications
These applications are eligible for upgrade to the Duo Universal Prompt.
Technology partner and third-party applications with Duo two-factor authentication support typically deliver this functionality as part of their hosted application platform, built-in to their software packages which you install on-premises, or as a 2FA plugin downloaded from them for installation.
Duo's technology partners have Universal Prompt support ready for these applications available by name in the Duo Admin Panel:
| Traditional Duo Prompt Application | Admin API Type | Universal Prompt Solution |
|---|---|---|
|
Universal Prompt support implemented in 1Password web and v8 client applications. |
|
|
No additional configuration required in Aeries SIS. |
|
|
No additional configuration required in Akamai Enterprise Application Access. |
|
Aruba ClearPass |
|
Update ClearPass device software to version 6.11.8. |
|
Universal Prompt support available as of the 2024.2.3 release. |
|
|
Upgrade to CAS 6.3.4 or later and then configure the Duo Security Authentication multifactor provider. |
|
|
Download Duo MFA Web SDK Authentication version 2.0+ and follow the instructions provided in the downloaded zip file to upgrade. |
|
|
Go to the Jenzabar One System Administration Multi-factor Authentication settings and create (or recreate) a "Duo Universal Prompt" multi-factor authentication provider. |
|
|
Visit your LastPass Admin Console to enable the "Use Duo Web SDK when possible" setting in all occurrences of your Duo multifactor authentication settings or enterprise policy. Users of the LastPass browser extension should update to version 4.129 or later. |
|
|
Upgrade to MyWorkDrive version 7 for Duo Universal Prompt support. You should also disable WebDAV for clients as noted in the MyWorkDrive Duo instructions. |
|
|
Create a new custom factor-only IdP in Okta Classic or Okta Identity Engine for Duo authentication using OIDC and apply it to your sign-on policies. |
|
|
Enable the Duo OIDC flow setting in OneLogin account settings. |
|
|
Update the challenge type for the Duo application in Pathlock to "DUO Universal Prompt". |
|
|
Install the "latest" Duo Security Integration Kit 3.x available from Ping. |
|
|
No additional configuration required in SailPoint IdentityNow. |
|
|
Upgrade to Shibboleth 4.1 or later and then configure the |
|
|
Duo Universal Prompt requires an upgrade to Splunk Enterprise on-premises versions 9.1.8, 9.2.5, 9.3.3, 9.4.1, or higher. |
Please contact the vendor directly for support if you experience issues performing any required migration or enablement steps for Duo Universal Prompt in these listed partner-developed integrations.
Users of any third-party applications offering Duo two-factor authentication in an iframe with the traditional Duo Prompt not listed here, please contact the vendor of that application to request information about updates needed to use the Duo Universal Prompt in that application. If you aren't sure how to proceed, contact us and provide information about the third-party application.
Out-of-Scope Applications
These applications are NOT eligible for upgrade to the Duo Universal Prompt. You must have migrated these application configurations to one of the supported options before March 30, 2024 (or migrate before the extended support date noted), for continued Duo authentication.
The following iframe-based traditional Duo Prompt offerings are not in scope for updating to the Universal Prompt. They will have a status of Migration or reconfiguration required in the Universal Prompt Update Progress report and the details page for any of these applications will have no Universal Prompt section. Note that you cannot currently clear this status alert even though you may have already completed the required migration or reconfiguration steps.
The applications listed below will require migration to an alternate Duo solution or configuration for continued operation. Some alternate solutions may not offer any interactive Duo prompt experience.
You can begin planning and executing your migration to the supported solution of your choice immediately.
-
SSL VPN integrations that use LDAPS to communicate with Duo's service directly and require login page customizations on the VPN device to show the Duo Prompt in a browser window. We recommend migrating to a solution with Universal Prompt support:
Traditional Duo Prompt Application Admin API Type Universal Prompt Solution ciscoMigrate to Duo Single Sign-On for Cisco ASA
Alternate migration options without Universal Prompt: Duo RADIUS with Automatic Push for Cisco ASA SSL VPN, or Duo RADIUS Challenge Text Prompt for Cisco ASA SSL VPN
juniperMigrate to Duo Single Sign-On for Ivanti Connect Secure
Alternate migration options without Universal Prompt: Duo RADIUS with Automatic Push for Pulse Connect Secure Access SSL VPN, or Duo RADIUS Challenge Text Prompt for Pulse Connect and Ivanti Secure Access Access SSL VPN
juniperMigrate to Duo Single Sign-On for Ivanti Connect Secure
Alternate migration options without Universal Prompt: Duo RADIUS with Automatic Push for Juniper Secure Access SSL VPN, or Duo RADIUS Challenge Text Prompt for Pulse Connect Secure Access SSL VPN
-
VPN integrations that use the Duo Authentication Proxy's
radius_server_iframeconfiguration to inject the Duo Prompt as an iframe over RADIUS. We recommend migrating to a solution with Universal Prompt support: -
Duo Access Gateway, our on-premises SAML 2.0 single sign-on solution, and by extension all service provider applications that rely on Duo Access Gateway (Admin API type starts with
agsuch asagoffice365). Duo commercial plan customers using Duo Access Gateway should migrate to Duo Single Sign-On. Learn more about migrating from Duo Access Gateway to Duo Single Sign-On. -
Duo Authentication for AD FS 2.x. Duo's MFA adapter for AD FS supporting Windows Server 2016 and later server releases has the necessary updates for Universal Prompt, but there are no further feature updates planned for the AD FS 2.0 (Windows Server 2008 and 2008 R2) and AD FS 2.1 (Windows Server 2012) IIS-based Duo two-factor solution.
We encourage you to migrate to a more recent version of Windows Server and AD FS that permits use of the Duo AD FS multifactor plugin v2.0.0 or later plugin which provides Universal Prompt support.
-
Any Duo application with an "End of Life" or "End of Support" notification on its documentation, i.e. Duo for Drupal 6 and 7.
We will continue to show the iframe-based Duo Prompt for these applications after March 2024 until the eventual end of life of the iframe-based traditional Duo Prompt and encourage you to migrate to alternate configurations that provide a supported path forward, such as migrating from RADIUS iframe authentication to Duo Single Sign-On SAML implementations.
Unaffected Applications
Duo Applications that do not show the browser-based Duo Prompt today are neither in-scope for Universal Prompt support nor affected by the planned iframe and traditional Duo Prompt end of life. These applications do not use an iframe or the traditional Duo prompt. They will have a status of No action needed in the Universal Prompt Update Progress report.
No changes or updates to these applications are required (list not exhaustive):
- Duo Authentication for Windows Logon (Microsoft RDP)
- Duo Authentication for macOS
- Duo Authentication for Microsoft Remote Desktop Gateway
- Duo Unix
- The generic RADIUS and LDAP applications, and any named RADIUS or LDAP integration with these configurations:
- Automatic push or phone call (
radius_server_autoorldap_server_auto) - Append a factor name or passcode to the submitted password (
radius_server_auto,radius_server_concat, orldap_server_auto) - Show a text-based challenge response (
radius_server_challenge) - Accepts a factor name or password as a "second password" in the authenticating device's login UI (
radius_server_duo_only)
- Automatic push or phone call (
- Duo Authentication for Epic Hyperspace or Hyperdrive
- The Duo multi-factor authentication provider built into Workday
- Applications built with Duo's Auth API that show a customized user interface
- This includes the partner 2FA integrations for Delinea Secret Server, Huntress, Keeper, and ConnectWise Automate.
- Any application that does not use Duo's Web SDK
Application Updates
As Duo adds support for the Universal Prompt to applications, you'll see a new section on the details page of the application indicating your progress toward the Universal Prompt for that application, and that application's update status appears on the Universal Prompt Update Progress report.
Most on-premises applications will require that you install a software update with the necessary changes to support the Universal Prompt on your web application server. This software update may be supplied by Duo or by our technical partners, depending on who developed the integration. Users of cloud-hosted SaaS services may need to make a configuration change to your account to enable the Universal Prompt support, at the direction of Duo or the Duo partner that operates the service.
Once an application update becomes available and you've applied it, you then need to authenticate at least once using the updated application so that Duo makes the Universal Prompt activation settings available for that application. Users will see the traditional Duo Prompt until you activate the Universal Prompt option on the updated application from the Duo Admin Panel.
After Universal Prompt becomes generally available, we'll continue providing updates so that more Duo-developed integrations can offer the new prompt experience, and will support customers and technology partners who have developed Web SDK v2 integrations with their update efforts.
Waiting on App Provider
The status shows "Waiting on App Provider" when viewing the Universal Prompt information for an application created by one of Duo's technical partners that has no update available. Contact the application provider to request Duo Universal Prompt support. If you aren't sure how to proceed, contact Duo Support.
Your users continue to see the current Duo prompt experience until an application update becomes available, you apply the update and authenticate using the updated application, and you then activate the Universal Prompt.
Application waiting on update availability
Migration or Reconfiguration Required
Applications not in scope for the Universal Prompt will show the "Migration or reconfiguration required" status if we've detected traditional Duo Prompt use in the past 30 days. These applications will require migration to an alternate Duo solution or configuration for continued operation. The details page for any of these applications shows an alert banner in their Universal Prompt section with a link to download a report of all traditional Duo Prompt use for that app in the past 30 days, and the option to Mark as fixed to clear the alert after you perform the necessary migration or reconfiguration steps. You'll also find links to supporting documentation.
When you clear the alert you're asked to confirm that you have completed the required action for the application. After that, the usage alert and report download link disappears from the app's details page.
Continued use of the traditional Duo Prompt detected after you mark an application as fixed will cause the alert to return. Download and examine the traditional Duo Prompt usage report linked in the alert for identifying details.
Traditional Prompt Usage Report Information
| Report Field | Description |
|---|---|
Timestamp |
The UTC time of detected traditional Duo Prompt use. |
Parent URL |
The URL of the parent page that hosted detected traditional Duo Prompt use is an iframe, if the browser provided the parent page information. Blank if the browser did not provide a parent url for the iframe, or the prompt was not displayed in an iframe. |
Username |
The user who logged in with the traditional Duo Prompt. |
Source IP |
The IP address reported by the authenticating browser when contacting Duo's service |
User Agent |
The UserAgent string of the browser used during authentication, which may include both browser and operating system information. |
Refer to the Universal Prompt solutions in the Out-of-Scope Applications section for further instructions.
Update Required
When Universal Prompt support becomes available for a given Duo integration, whether maintained by Duo or by a partner, the Universal Prompt details on that application's properties page in the Duo Admin Panel indicates availability of an application software update as "Update Required" with a link to update instructions.
If you see this status for a Duo Web SDK application you developed in-house, you will need to update your application from Web SDK v2 to Web SDK v4 before you can use the Universal Prompt. If you did not develop the Web SDK application, please contact the software vendor that did to determine availability of the necessary update. If you aren't sure how to proceed, contact us and provide information about the third-party application.
Your users continue to see the current Duo prompt experience until:
- You apply the update, which implements a redirect to Duo during authentication to support the Universal Prompt.
- You authenticate with Duo 2FA using the updated application. This first authentication after updating shows the traditional Duo prompt in a redirect instead of an iframe.
- You then activate the Universal Prompt for all users of the application.
For an application where you were already using the traditional Duo Prompt you must perform a Duo 2FA authentication after performing the required update. This authentication will not yet show the Universal Prompt, but will update the status of that application in Duo's service to unlock the Universal Prompt activation control so you can then turn it on for the application.
Application update available
Ready to Activate
Once you apply the necessary updates to an application and authenticate to Duo with the update in place, the Universal Prompt details show that the application is ready for the new prompt experience. The status "Ready to Activate" for updated applications reflects that you've done all the work required to update your application for the Universal Prompt.
Duo hosts three applications within our cloud service which we've already updated with Universal Prompt support: Microsoft Azure Active Directory, Microsoft Entra ID: External Authentication Methods, and Duo Single Sign-on (SSO). You can enable the new prompt right away for the Microsoft Azure Active Directory application or for SSO service provider applications that use Duo Single Sign-On, including Duo Central.
Use the activation control options to determine the login experience for your users:
Role required: Owner, Administrator, or Application Manager.
-
Show traditional prompt: Your users experience Duo's traditional prompt via redirect when logging in to this application.
-
Show new Universal Prompt: Your users experience the Universal Prompt via redirect when logging in to this application. Default selection for newly-created supported applications.
Change the Activate Universal Prompt setting to show the Universal Prompt and then scroll to the bottom of the page and click Save.
Your users continue to see the current Duo prompt experience until you activate the Universal Prompt.
Application ready for Universal Prompt
Activation Complete
Activation of the Universal Prompt is a per-application change. Activating it for one application does not change the login experience for your other Duo applications.
Enable the Universal Prompt experience for an application by selecting Show new Universal Prompt in the activation options, and then scrolling to the bottom of the page to click Save.
If you performed a software or configuration update required for Universal Prompt support, you must authenticate once with the updated application to unlock the Show new Universal Prompt control.
Once you activate the Universal Prompt, the application's Universal Prompt status shows "Activation Complete" here and on the Universal Prompt Update Progress report.
Application using Universal Prompt
Should you ever want to roll back to the traditional prompt, you can return to this setting and change it back to Show traditional prompt. However, this will still deliver the Duo prompt via redirect, not in an iframe.
Applications with Universal Prompt activated will display an alert banner on their details pages if we detect traditional Duo Prompt use within the past 30 days. The alert banner has a link to download a report of all traditional Duo Prompt use for that app in the past 30 days, and the option to Mark as fixed to clear the alert. You'll also find links to supporting documentation.
Download the traditional Duo Prompt usage report linked in the alert and examine the information provided for identifying details.
Universal Update Progress
Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all of your applications.
Track Universal Prompt Update Progress
The Universal Prompt Update Progress report, accessible at Reports → Universal Prompt Progress in the Duo Admin Panel, acts as a centralized location for determining which of your applications have the new prompt active, monitoring updates to the availability of required software updates needed to support the Universal Prompt, and viewing which applications have the necessary update in place.
All applications, including those not in scope for the Universal Prompt and those unaffected by the end of support for the traditional Duo Prompt, appear on the Universal Prompt Update Progress report.
When viewing the status information for a given application, we show you the number of users who have authenticated to that application in the past 30 days under the application's name.
Use the tabs to filter the report views by your application's Universal Prompt readiness status:
-
Action required: Shows all applications requiring an action. You can select one or more of the following filters:
-
Activate: Applications updated to frameless prompt delivery and ready for Universal Prompt activation. Click the Activate new prompt for users toggle to activate the new prompt experience. Will show the "Ready to activate" status. Note that no toggle appears to activate Universal Prompt for the Device Management Portal. You can still activate the Universal Prompt from the application page for your Device Management Portal application.
-
Update: Applications which need an available software update to frameless prompt delivery as a prerequisite to Universal Prompt. Will show the "Update required" status.
-
Migrate or reconfigure: Applications not in scope for the Universal Prompt. These applications will require migration to an alternate Duo solution or configuration for continued operation. Will show the "Migration or reconfiguration required" status.
-
Update not available yet: Applications without an available update to support the Universal Prompt. Will show the "Waiting on App Provider" status.
-
-
No action required: Applications where users of these applications receive the Universal Prompt, which will show the "Activation complete" status, and applications unaffected by the end of support due to not using the traditional Duo Prompt, which will show the "No action needed" status.
You can bulk activate the Universal Prompt for applications with the "Ready to activate" status by clicking on the Activate Universal Prompt for _ apps button in the top right corner. Then click Activate for _ apps in the pop-up window.
Troubleshooting
Need some help? Take a look at our Universal Prompt Knowledge Base articles. If you're having issues applying software updates provided by Duo to support Universal Prompt or require other technical assistance with Universal Prompt migration, contact Duo Support.
If you use an application developed by a third-party software vendor which shows "Waiting on App Provider" status, please contact that application vendor directly to ask when they will make Duo Universal Prompt available in their application.