Skip navigation
Documentation

Duo Universal Prompt Update Guide

Last Updated: June 1st, 2023

Contents

Support for the traditional Duo Prompt experience and Duo Prompt delivery via iframe ends on March 30, 2024. Review this document carefully as you plan your migration to Universal Prompt solutions or alternate configurations.

Introducing the Universal Prompt

Duo's next-generation authentication experience, the Universal Prompt, provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.

Duo Central with Duo Single Sign-on and Duo Push in Universal Prompt Duo Central with Duo Single Sign-on and automatic Duo Push in Universal Prompt
Refresh to play again

Duo Universal Prompt is generally available for in-scope applications that display the Duo traditional prompt today in browsers and select thick-client applications that use single sign-on. See the Universal Prompt migration status for affected applications from the Universal Prompt Update Progress report in the Duo Admin Panel.

Universal Prompt

Traditional Prompt

 Duo Push in Universal Prompt

 Duo Push in Traditional Prompt

Future updates to the Universal Prompt will extend the new experience to endpoint remediation and management verification functionality.

Learn more about the design process for the Universal Prompt on the Duo Blog.

Your complete migration from traditional Duo prompt to Universal Prompt for a given application will be a three-step process:

  1. Update the application to support the Universal Prompt. This may involve installing a software upgrade provided by Duo or one of our technology partners on your application server, or making a configuration change in the admin console of a cloud-hosted application where you use Duo.

    Duo and our partners are working to make more application updates available.

  2. Authenticate with Duo 2FA using the updated application so that Duo makes the Universal Prompt activation setting available in the Admin Panel.

  3. From the Duo Admin Panel, enable the Universal Prompt experience for users of that application after the application has been updated with Universal Prompt support.

Watch the Duo Blog for future updates about the Duo Universal Prompt.

Traditional Prompt End of Support

Effective March 30, 2024 Duo will no longer support the traditional Duo Prompt.

Duo is ending support for the traditional Duo Prompt so we can focus on developing new features and functionality of the Duo Universal Prompt.

Beginning March 30, 2024:

  • The traditional Duo Prompt will no longer be available for two-factor authentication.
  • Users on Duo Free, Essentials, Advantage, and Premier editions must perform two-factor authentication with the Universal Prompt.
  • Duo teams will no longer be able to troubleshoot issues with the traditional Duo Prompt or the iframe.
  • Application configurations that depend on the iframe-based traditional prompt for authentication will no longer be supported.
  • The standalone Web SDK v2 device management portal, which offers self-service Duo authenticator management in an iframe, will no longer be supported.
  • Self-service device management for users must be accessed inline during Universal Prompt authentication to an application or from Duo Central.

Consult the Universal Prompt Progress report to determine the readiness status for affected applications. The "End of Support" filter on the Duo Admin Panel's "Applications" page does not provide end-of-life alerting for iframe-based traditional Duo Prompt applications at this time.

Review the Universal Prompt Application Scope information in this document to learn more about migration options for your affected applications.

Universal Prompt Feature Support

The Universal Prompt does not yet have full feature parity with the traditional prompt.

Available Now

Future Updates

Features and functionality in active development:

We'll let you know when the Universal Prompt experience includes additional features.

Browser Support

The Universal Prompt supports Chrome (Desktop and Mobile), Firefox, Safari (Desktop and Mobile), Edge, and Internet Explorer. Not all browsers support all Duo authentication methods, so for the widest compatibility we recommend Chrome.

Check the table below for supported browser versions and Duo login option compatibility. Duo's support for the minimum browser version includes Duo Push, passcode, and phone call authentication options. Other login options, like Touch ID, may require a different browser or a newer minimum browser version, as noted in the table.

Browser Minimum Supported
Version
Security Keys
Minimum Version
Touch ID
Minimum Version

Chrome

38

70

70

Safari

9

13 on macOS
13.4 on iOS

Not supported

Firefox

47

60

Not supported

Edge

17

79

Not supported

Internet Explorer

11

Not supported

Not supported

While other browsers may work with the Universal Prompt, we actively test and support the browsers and minimum versions listed in the table.

When you log in Duo checks your current browser or client compatibility with the Universal Prompt. If your browser or client is not compatible, Duo will show you the traditional prompt experience instead.

Changes to Support the Universal Prompt

We've made some underlying changes to support the Universal Prompt user experience.

Move Away from Iframes

Duo delivers the traditional prompt via an inline frame (or "iframe") using our v2 WebSDK, which means that the Duo Prompt web content is embedded within a web page hosted by the protected application.

Duo Traditional Prompt in an iframe

Duo Prompt iframe Experience Example

When planning for the Universal Prompt it soon became apparent that switching from use of inline frames to a "frameless" approach, derived from OIDC standards, would provide enhanced stability and compatibility across our web application integrations, and lay a foundation for future improvements to Duo authentication and device trust.

The most obvious difference between traditional iframe Duo 2FA applications and updated frameless Duo 2FA applications is that instead of showing the Duo Prompt within a page hosted by the application, the application will instead redirect to a page hosted by Duo at duosecurity.com to show the Duo Prompt, and then redirect back to the protected application after the user completes two-factor authentication. The redirect page shows either the Universal Prompt or the traditional prompt; dependent on the Universal Prompt activation status for that application.

Duo Universal Prompt in a Redirect

Duo Prompt Frameless Experience Example

Duo Traditional Prompt in a Redirect

Duo Prompt Frameless Experience Example

To achieve the "iframe to frameless" migration, we've updated the Duo Web SDK with this new technical design as version 4.0, and have begun using this updated v4 SDK to bring the Universal Prompt to Duo's own web application integrations such as 2FA for Confluence, Duo Single Sign-On apps, and Duo Network Gateway, to name just a few.

Customers and technical partners should make use of the Duo Web v4 SDK and OIDC standards-based API today to begin the process of updating developed Duo integrations to support the Universal Prompt.

Duo Prompt UI Support per Delivery Method

OIDC Redirect (Web SDK v4) Iframe (Web SDK v2)

Universal Prompt

YES

NO

Traditional Prompt

YES

YES

Read more about the new developer tooling supporting the Universal Prompt on the Duo Blog.

Renamed Application Fields

Each Duo application you create has a unique identifier and an associated key used to sign or verify the two-factor authentication request. These are called the "Integration Key" or ikey and the "Secret key" or skey.

We've relabeled these two pieces of application information to better align with the OAuth 2.0 specification. These values are now known as the "Client ID" or client_id and the "Client secret" or client_secret for applications that support Universal Prompt.

The names may have changed, but the values for any existing integrations remain the same.

Changes to the User Experience

Beyond the visual refresh of Duo's login prompt, the Universal Prompt makes some key changes to how users complete two-factor authentication.

Refer to the Universal Prompt End User Guide to learn more about the login experience for users.

Automatic Device Selection

The first time a user accesses the Universal Prompt for a given application, Duo evaluates the supported authentication methods for that type of application and the effective authentication methods policy for that application, and then automatically selects the most secure authentication option available to the user according to this ordered preference:

Duo authentication methods from most to least secure:

  1. Touch ID
  2. Security keys
  3. Verified Duo Push
  4. Duo Mobile push approval
  5. YubiKey passcodes
  6. Duo Mobile generated passcodes
  7. Hardware token passcodes
  8. SMS passcodes
  9. Phone call approval

If a user wants to try a different method then the one selected for them, clicking Other options in the Universal Prompt shows a list of the user's available authentication methods, subject to the effective authentication methods policy for that application.

Last Used Method

When a user successfully logs in to a Duo-protected application, the Universal Prompt remembers the authentication method used and defaults to that method for future logins to that application. If a user wants to try a different method then the one used last, clicking Other options in the Universal Prompt shows a list of the user's available authentication methods, subject to the effective authentication methods policy for that application.

The traditional prompt does not remember the last used device, showing all available authentication methods for the user.

Automatic Duo Push

If Duo Push authentication is explicitly selected by a user, or automatically selected on behalf of the user during a first-time authentication, then Duo sends the push notification to the user's activated device. If you've enabled Duo Push verification then the Universal prompt displays the code for the user to enter while approving the Duo Push request.

During future authentications by that user to that application, Duo Push continues to send the push to the user automatically. There is no way for users or administrators to disable automatic Duo Push in the Universal Prompt.

In the traditional prompt a user clicks the Send Me a Push button upon landing on the prompt, or the user may have opted to configure Duo Push as an automatic authentication option when they enrolled that device.

Authentication Options List

The Universal Prompt's list of authentication options (shown when a user clicks "Other options" in the prompt) separates out different methods for a single device into individual selections, and shows the available options for all devices in a single list, with the more secure authenticator options listed first (i.e. fingerprint sensor ahead of phone call, etc.).

If the application or group policy prevents use of any authentication methods, the authentication options list shows only those methods permitted for use by the effective policy i.e. if the effective policy disallows phone call and SMS passcodes then the options shown by Universal Prompt would not include "Call phone" and "Send text message passcode".

List of Authentication Options in Universal Prompt

The traditional prompt displays the available authentication methods for a single device at a time. If a user has more than one device enrolled (i.e. two phones activated for Duo Push, or a phone and Touch ID), the user would first need to use the device selector to choose from their enrolled devices, and then make the second choice of which authentication method to use with the selected device.

SMS Passcode Batch

If a user clicks the text message passcode option in the list then the Universal Prompt immediately generates and sends an SMS message with a single passcode, regardless of what you have configured in the SMS batch size setting.

If your users need to authenticate in the Universal Prompt when they do not have cell or data service available for their phones, we recommend they activate Duo Mobile on their phone and use it to generate a passcode while offline, or to use a hardware token or security key.

Remembered Devices

If a remembered devices policy is in effect for an application, Universal Prompt shows the initial browser trust option to the user after they complete two-factor application approval. The user chooses whether to trust the browser or not, and then continues to the application. If the user clicks No, do not trust browser, they will not be asked to trust that browser again for 14 days.

Remembered Devices Browser Option in Universal Prompt

Opting to trust the browser sets a cookie which allows bypassing two-factor authentication from that browser for as long as the trusted session cookie remains valid. Depending on how you configured your remembered devices policy, the user may bypass two-factor authentication for that one application, or multiple applications.

When the remembered device cookie expires, the Duo two-factor authentication prompt for that application shows "Trust browser" as an enabled option on the Duo Push, phone call, text message, and passcode authentication screens. Users can uncheck the box before completing Duo authentication to log in without trusting the browser, or leave it enabled to set a new remembered device cookie for the application.

Expired Remembered Devices Browser Option for Universal Prompt Duo Push

When using a WebAuthn method like Touch ID or a security key after the remembered device cookie expires, users who want to log in without creating a new remembered device session need to cancel the authentication in process to see the "Trust browser" option, and then try the authentication again after unchecking the box.

Expired Remembered Devices Browser Option for Universal Prompt Touch ID

If the application has no remembered device policy applied the Universal Prompt does not show the browser trust screen, and proceeds directly to the application after 2FA success.

The traditional prompt shows the "Remember me..." option in the two-factor prompt before the user completes authentication, and does not show the option if the application has no remembered devices policy.

Remembered Devices Browser Option in Traditional Prompt

U2F Support

Universal Prompt drops support for U2F, so security keys must support WebAuthn authentication standards.

If users with combination U2F/WebAuthn security keys did not previously update their U2F key enrollment to WebAuthn in Duo's traditional prompt, those security keys will not be offered as authentication options by the Universal Prompt. These users will be able to enroll the U2F security key as a new WebAuthn security key in the Universal Prompt.

Universal Prompt Application Scope

As mentioned, Duo's Universal Prompt supports applications that show the traditional Duo Prompt and device management as a web page today, but with some exceptions.

If you don't see your application listed below, please contact us to discuss your use case.

Migration from your current in-scope and out-of-scope applications to Universal Prompt solutions or alternate configurations should be completed prior to the traditional Duo Prompt end of support on March 30, 2024.

In-Scope Applications

As Universal Prompt support becomes available for these in-scope applications, you'll find links to the application update instructions here. Update instructions are also linked from the Universal Prompt section of an eligible application's page in the Duo Admin Panel.

The application names listed below match the "type" information for the applications shown in the Duo Admin Panel. The "Admin API Type" information is the type attribute value as returned by the Duo Admin API Retrieve Integrations endpoint.

Applications Owned by Duo

Duo-owned applications are delivered as setup packages downloaded from duosecurity.com for installation on your on-premises applications, or are built into cloud applications hosted by Duo.

Universal Prompt update information for traditional Duo Prompt applications created and maintained by Duo:

Traditional Duo Prompt Application Admin API Type Universal Prompt Solution

Duo Single Sign-On

N/A

Duo Single Sign-On includes Universal Prompt support; no update required.

Duo Network Gateway

dng, dng-ssh, dng-rdp

Upgrade Duo Network Gateway to v1.5.10 or later and apply the "Enable Frameless" option for each of your Web, SSH, and RDP applications in the Network Gateway admin console.

Duo Web SDK v2

websdk, partner_websdk

Duo Web SDK v4 Python, Java, Go, NodeJS, PHP,and C# client libraries for adding Duo Prompt to your applications. These clients support both the "Web SDK" and "Partner WebSDK" applications. Update your custom-developed existing Web SDK v2 applications to use Web SDK v4. If you did not develop the application, contact the vendor who did to find out how to update the application. If you aren't sure how to proceed, contact us.

Duo Web SDK v2

websdk, partner_websdk

Duo OIDC standards-based Auth API for adding the Duo Universal Prompt using OIDC to your application in any language. Supported by both the "Web SDK" and "Partner WebSDK" applications. Update your custom-developed existing Web SDK v2 applications to use this API if no Web SDK 4 client is available in your required language. If you did not develop the application, contact the vendor who did to find out how to update the application. If you aren't sure how to proceed, contact us.

Confluence

confluence

Upgrade from the Duo Confluence v1 plugin to the Duo Atlassian v2 plugin.

Jira

jira

Upgrade from the Duo Jira v1 plugin to the Duo Atlassian v2 plugin.

Oracle Access Manager (OAM)

oam

Upgrade from the Duo OAM v1 plugin to the Duo OAM v2 plugin.

Microsoft AD FS on Windows 2012 R2 and later

adfs

Upgrade from the Duo AD FS v1 plugin to the Duo AD FS v2 plugin.

Microsoft Azure Active Directory

azure-ca

Duo's custom control for Microsoft Azure Active Directory includes Universal Prompt support; no update required.

Microsoft OWA on Windows 2012 R2 and later

owa

Upgrade from the Duo for Microsoft OWA v1.x application to the Duo for Microsoft OWA v2.0.0 or later application.

Microsoft RD Web

rdweb

Solution will be available from Duo in 2023.

Duo for WordPress

wordpress

Solution will be available from Duo in the first half of 2023.

Partner Applications

Technology partner and third-party applications with Duo two-factor authentication support typically deliver this functionality as part of their hosted application platform, built-in to their software packages which you install on-premises, or as a 2FA plugin downloaded from them for installation.

Duo's technology partners have Universal Prompt support ready for these applications:

Traditional Duo Prompt Application Admin API Type Universal Prompt Solution

1Password

1password

Universal Prompt support implemented in 1Password web and v8 client applications.

CAS (Central Authentication Service)

cas

Upgrade to CAS 6.3.4 or later and then configure the Duo Security multifactor provider.

Okta

okta

Create a new custom factor-only IdP in Okta Classic or Okta Identity Engine for Duo authentication using OIDC and apply it to your sign-on policies.

OneLogin

okta

Enable the Duo OIDC flow setting in OneLogin account settings.

PingFederate

pingfederate

Install the Duo Security Integration Kit 3.0 available from Ping.

Shibboleth

shibboleth

Upgrade to Shibboleth 4.1 or later and then configure the DuoOIDCAuthnConfiguration authentication plugin.

Users of any third-party applications offering Duo two-factor authentication in an iframe with the traditional Duo Prompt not listed here, please contact the vendor of that application to request information about updates needed to use the Duo Universal Prompt in that application. If you aren't sure how to proceed, contact us and provide information about the third-party application.

Out-of-Scope Applications

The following iframe-based traditional Duo Prompt offerings are not in scope for updating to the Universal Prompt. They do not appear in the Universal Prompt Update Progress report, and when viewing the details page for any of these applications there is no Universal Prompt section.

The applications listed below will require migration to an alternate Duo solution or configuration for continued operation. You can begin planning and executing your migration to the supported solution of your choice immediately.

We'll continue to show and support the iframe-based Duo Prompt for these applications up until March 2024 as we explore alternate configurations that provide a path forward, such as migrating from RADIUS iframe authentication to Duo Single Sign-On SAML implementations.

Unaffected Applications

Duo Applications that do not show the browser-based Duo Prompt today are neither in-scope for Universal Prompt support nor affected by the planned iframe and traditional Duo Prompt end of life. These applications do not use an iframe or the traditional Duo prompt.

No changes or updates to these applications are required (list not exhaustive):

Application Updates

As Duo adds support for the Universal Prompt to applications, you'll see a new section on the details page of the application indicating your progress toward the Universal Prompt for that application, and that application's update status appears on the Universal Prompt Update Progress report.

Most on-premises applications will require that you install a software update with the necessary changes to support the Universal Prompt on your web application server. This software update may be supplied by Duo or by our technical partners, depending on who developed the integration. Users of cloud-hosted SaaS services may need to make a configuration change to your account to enable the Universal Prompt support, at the direction of Duo or the Duo partner that operates the service.

Once an application update becomes available and you've applied it, you then need to authenticate at least once using the updated application so that Duo makes the Universal Prompt activation settings available for that application. Users will see the traditional Duo Prompt until you activate the Universal Prompt option on the updated application from the Duo Admin Panel.

After Universal Prompt becomes generally available, we'll continue providing updates so that more Duo-developed integrations can offer the new prompt experience, and will support customers and technology partners who have developed WebSDK v2 integrations with their update efforts.

Waiting on App Provider

The status shows "Waiting on App Provider" when viewing the Universal Prompt information for an application created by one of Duo's technical partners that has no update available. Contact the application provider to request Duo Universal Prompt support. If you aren't sure how to proceed, contact us.

Your users continue to see the current Duo prompt experience until an application update becomes available, you apply the update and authenticate using the updated application, and you then activate the Universal Prompt.

Application waiting on update availability

Universal Prompt Info - Update Not Yet Available

Waiting on Duo

Applications maintained by Duo show the "Waiting on Duo" status when viewing the Universal Prompt information for an application that has no update available. Refer to the list of applications owned by Duo for update availability information.

Your users continue to see the current Duo prompt experience until Duo makes an application update available, you apply the update and authenticate using the updated application, and you then activate the Universal Prompt.

Duo-owned application waiting on update availability

Universal Prompt Info - Duo Application Update Not Yet Available

App Update Ready

When Universal Prompt support becomes available for a given Duo integration, whether maintained by Duo or by a partner (or by you, our customer, for any Duo applications you may have developed in-house), the Universal Prompt details on that application's properties page in the Duo Admin Panel indicates availability of an application software update as "App Update Ready" with a link to update instructions.

Your users continue to see the current Duo prompt experience until:

  1. You apply the update, which implements a redirect to Duo during authentication to support the Universal Prompt.
  2. You authenticate with Duo 2FA using the updated application. This first authentication after updating shows the traditional Duo prompt in a redirect.
  3. You then activate the Universal Prompt for all users of the application.

For an application where you were already using the traditional Duo Prompt you must perform a Duo 2FA authentication after performing the required update. This authentication will not yet show the Universal Prompt, but will update the status of that application in Duo's service to unlock the Universal Prompt activation control so you can then turn it on for the application.

If you see this status for a Duo WebSDK application you developed in-house, you will need to update your application from Web SDK v2 to Web SDK v4 before you can use the Universal Prompt. If you did not develop the WebSDK application, please contact the software vendor that did to determine availability of the necessary update. If you aren't sure how to proceed, contact us and provide information about the third-party application.

Application update available

Universal Prompt Info - Update Available

New Prompt Ready

Once you apply the necessary updates to an application and authenticate to Duo with the update in place, the Universal Prompt details show that the application is ready for the new prompt experience. The status "New Prompt Ready" for updated applications reflects that you've done all the work required to update your application for the Universal Prompt.

Duo hosts two applications within our cloud service which we've already updated with Universal Prompt support: Microsoft Azure Active Directory and Duo Single Sign-on (SSO). You can enable the new prompt right away for the Microsoft Azure application or for SSO service provider applications that use Duo Single Sign-On, including Duo Central.

Use the activation control options to determine the login experience for your users:

Role required: Owner, Administrator, or Application Manager.

  • Show traditional prompt: Your users experience Duo's traditional prompt when logging in to this application.

  • Show new Universal Prompt: Your users experience the Universal Prompt when logging in to this application. Default selection for newly-created supported applications.

Change the Activate Universal Prompt setting to show the Universal Prompt and then scroll to the bottom of the page and click Save.

Your users continue to see the current Duo prompt experience until you activate the Universal Prompt.

Application ready for Universal Prompt

Universal Prompt Info - Application Ready for Universal Prompt

Update Complete

Activation of the Universal Prompt is a per-application change. Activating it for one application does not change the login experience for your other Duo applications.

Enable the Universal Prompt experience for an application by selecting Show new Universal Prompt in the activation options, and then scrolling to the bottom of the page to click Save.

Once you activate the Universal Prompt, the application's Universal Prompt status shows "Update Complete" here and on the Universal Prompt Update Progress report.

Application using Universal Prompt

Universal Prompt Info - Universal Prompt Activation Complete

If you performed a software or configuration update required for Universal Prompt Support, you must authenticate once with the updated application to unlock the Show new Universal Prompt control.

Universal Update Progress

Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for your Duo applications built with Web SDK v2 and in-scope for Universal Prompt support.

Track Universal Prompt Update Progress

The Universal Prompt Update Progress report, accessible at ReportsUniversal Prompt Progress in the Duo Admin Panel, acts as a centralized location for determining which of your applications have the new prompt active, monitoring updates to the availability of required software updates needed to support the Universal Prompt, and viewing which applications have the necessary update in place.

Applications not in scope for Universal Prompt, as well as those unaffected by the end of support for the traditional Duo Prompt, do not appear on the Universal Prompt Update Progress report.

When viewing the status information for a given application, we show you the number of users who have authenticated to that application in the past 30 days under the application's name.

Universal Prompt Update Progress Report

Use the tabs to filter the report views by your application's Universal Prompt readiness status:

  • All: Shows the Universal Prompt status for all in-scope applications.
  • App Update Ready: Applications which need an available software update to frameless prompt delivery as a prerequisite to Universal Prompt.
  • New Prompt Ready: Applications updated to frameless prompt delivery and ready for Universal Prompt activation. Click the Activate new prompt for users toggle to activate the new prompt experience.
  • Update Complete: Users of this application receive the Universal Prompt.
  • Waiting on App Provider: Applications without an available update to support the Universal Prompt.

Troubleshooting

Need some help? Take a look at our Universal Prompt Knowledge Base articles. If you're having issues applying the software updates to support Universal Prompt or require other technical assistance, contact Duo Support.

Please also contact us if you have any feedback about your organization's experience activating and using the Universal Prompt (refer technical assistance requests to Duo Support).