Duo's next-generation authentication experience, the Universal Prompt, provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.
Duo Universal Prompt will be generally available for in-scope applications that display the Duo traditional prompt today in browsers and select thick-client applications that use single sign-on. See which of your Duo applications can migrate to the Universal Prompt at a glance from the Universal Prompt Update Progress report
|Universal Prompt||Traditional Prompt|
Future updates during the Universal Prompt preview period will extend the new experience to endpoint security posture and management verification functionality.
Your complete migration from traditional Duo prompt to Universal Prompt will be a two-step process:
(Limited Current Availability) Update the application to support the Universal Prompt. This may involve installing a software upgrade provided by Duo or one of our technology partners on your application server, or making a configuration change in the admin console of a cloud-hosted application where you use Duo.
Duo and our partners are working to make these application updates available throughout the Universal Prompt preview.
(Available as Public Preview) In the Duo Admin Panel, enable the Universal Prompt experience for users of that application after the application has been updated with Universal Prompt support.
Watch the Duo Blog for future updates about the Duo Universal Prompt.
The Universal Prompt preview does not have full feature parity with the traditional prompt yet. We'll be adding additional functionality and features to the Universal Prompt experience throughout the preview period.
Two-factor authentication in an interactive, browser-based prompt. Universal Prompt User Guide
Duo Push, Duo Mobile passcodes, phone callback, SMS passcodes, WebAuthn security keys, Touch ID, and hardware token authentication methods, as well as bypass codes. Universal Prompt User Guide: Login Options
Self-enrollment for new users performing first-time Duo enrollment from an application with Universal Prompt activated. Universal Prompt User Guide: First-time Enrollment
Note that emailed enrollment links will still fall back to the traditional prompt experience.
Self-service device management permitting previously enrolled users to add a new device or manage existing devices while logging in to a Duo-protected application. Universal Prompt User Guide: Device Management
English, Spanish, French, German, and Japanese localization. The end-user's browser language settings determine the language shown in the prompt, with no extra configuration necessary by Duo administrators or users. The "Language" setting selected in the Admin Panel has no effect on the language shown in the Universal Prompt.
Features and functionality in active development:
Duo Access edition endpoint features and policies: if any policies configuring user location or anonymous network restrictions, device remediation, or Device Health security posture verification are applied to an application with the Universal Prompt activated, these workflows will fall back to the traditional prompt experience.
Duo Beyond edition endpoint features and policies: if any policies configuring Trusted Endpoints verification are applied to an application with the Universal Prompt activated, these workflows will fall back to the traditional prompt experience.
Expanded branding options will permit customization of the Universal Prompt background image and color bar. Today custom branding is limited to the company logo shown in the prompt and hiding the Duo branding line (from the Admin Panel settings).
We'll let you know when the Universal Prompt experience includes these features.
During this preview period your users may see an invitation to complete a short survey about the Universal Prompt experience via Google Forms after Duo authentication and on the self-service device management page. User participation in the survey is entirely voluntary. The Duo product development team appreciates all feedback and will use the information to further improve the Universal Prompt.
Clicking the survey link from the Duo prompt passes your Duo customer name into the survey response. No other information about your Duo configuration or your users is collected by the survey, aside from whatever responses the user may enter while answering the survey questions.
Duo admins may not disable the survey prompt, so if you do not want your users to provide feedback to Duo then please let them know directly not to complete the survey.
The Universal Prompt supports Chrome (Desktop and Mobile), Firefox, Safari (Desktop and Mobile), Edge, and Internet Explorer. Not all browsers support all Duo authentication methods, so for the widest compatibility we recommend Chrome.
Check the table below for supported browser versions and Duo login option compatibility. Duo's support for the minimum browser version includes Duo Push, passcode, and phone call authentication options. Other login options, like Touch ID, may require a different browser or a newer minimum browser version, as noted in the table.
|Safari||9||13 on macOS
13.4 on iOS
|Internet Explorer||11||Not supported||Not supported|
While other browsers may work with the Universal Prompt, we actively test and support the browsers and minimum versions listed in the table.
When you log in Duo checks your current browser or client compatibility with the Universal Prompt. If your browser or client is not compatible, Duo will show you the traditional prompt experience instead.
We've made some underlying changes to support the Universal Prompt user experience.
Duo delivers the traditional prompt via an inline frame (or "iFrame") using our v2 WebSDK, which means that the Duo Prompt web content is embedded within a web page hosted by the protected application.
Duo Traditional Prompt in an iFrame
When planning for the Universal Prompt it soon became apparent that switching from use of inline frames to a "frameless" approach, derived from OIDC standards, would provide enhanced stability and compatibility across our web application integrations, and lay a foundation for future improvements to Duo authentication and device trust.
The most obvious difference between traditional iFrame Duo 2FA applications and updated frameless Duo 2FA applications is that instead of showing the Duo Prompt within a page hosted by the application, the application will instead redirect to a page hosted by Duo at
duosecurity.com to show the Duo Prompt, and then redirect back to the protected application after the user completes two-factor authentication. The redirect page shows either the Universal Prompt or the traditional prompt; dependent on the Universal Prompt activation status for that application.
Duo Universal Prompt in a Redirect
Duo Traditional Prompt in a Redirect
To achieve the "iFrame to frameless" migration, we've updated the Duo Web SDK with this new technical design as version 4.0, and have begun using this updated v4 SDK to bring the Universal Prompt to Duo's own web application integrations such as 2FA for Confluence, Duo Single Sign-On apps, and Duo Network Gateway, to name just a few.
Customers and technical partners should make use of the Duo Web v4 SDK and OIDC standards-based API today to begin the process of updating developed Duo integrations to support the Universal Prompt.
Each Duo application you create has a unique identifier and an associated key used to sign or verify the two-factor authentication request. These are called the "Integration Key" or
ikey and the "Secret key" or
We've relabeled these two pieces of application information to better align with the OAuth 2.0 specification. These values are now known as the "Client ID" or
client_id and the "Client secret" or
client_secret for applications that support Universal Prompt.
The names may have changed, but the values for any existing integrations remain the same.
Beyond the visual refresh of Duo's login prompt, the Universal Prompt makes some key changes to how users complete two-factor authentication.
Refer to the Universal Prompt End User Guide to learn more about the login experience for users.
When a user successfully logs in to a Duo-protected application, the Universal Prompt remembers the authentication method used and defaults to that method for future logins to that application. If a user wants to try a different method then the one used last, clicking Other options in the Universal Prompt shows a list of the user's available authentication methods, subject to the effective authentication methods policy for that application.
The traditional prompt does not remember the last used device, showing all available authentication methods for the user.
If a Duo user has an attached device activated for use with Duo Mobile then the Universal Prompt automatically selects Duo Push authentication the first time the user logs in to that application, and sends the push notification to the user. Subsequent use of Duo Push continues to send the push to the user automatically. There is no way for users or administrators to disable automatic Duo Push in the Universal Prompt.
In the traditional prompt a user clicks the Send Me a Push button upon landing on the prompt, or the user may have opted to configure Duo Push as an automatic authentication option when they enrolled that device.
The Universal Prompt's list of authentication options (shown when a user clicks "Other options" in the prompt) separates out different methods for a single device into individual selections, and shows the available options for all devices in a single list, with the more secure authenticator options listed first (i.e. fingerprint sensor ahead of phone call, etc.).
If the application or group policy prevents use of any authentication methods, the authentication options list shows only those methods permitted for use by the effective policy i.e. if the effective policy disallows phone call and SMS passcodes then the options shown by Universal Prompt would not include "Call phone" and "Send text message passcode".
The traditional prompt displays the available authentication methods for a single device at a time. If a user has more than one device enrolled (i.e. two phones activated for Duo Push, or a phone and Touch ID), the user would first need to use the device selector to choose from their enrolled devices, and then make the second choice of which authentication method to use with the selected device.
If a remembered devices policy is in effect for an application, Universal Prompt shows the "Trust this browser..." option to the user after they complete two-factor application approval. The user chooses whether to check the box or not, and then clicks Continue to application to proceed.
The traditional prompt shows the "Remember me..." option before the user completes authentication.
If the application has no remembered device policy applied then users do not see the prompt to continue, and proceed directly to the application after 2FA success.
If users with combination U2F/WebAuthn security keys did not previously update their U2F key enrollment to WebAuthn in Duo's traditional prompt, those security keys will not be offered as authentication options by the Universal Prompt. These users will be able to enroll the U2F security key as a WebAuthn security key in the Universal Prompt.
As mentioned, Duo's Universal Prompt supports applications that show the Duo Prompt and device management as a web page today, but with some exceptions. The following Duo 2FA offerings are not in scope for the Universal Prompt, which means they do not appear in the Universal Prompt Update Progress report, and when viewing the details page for any of these applications there is no Universal Prompt section:
The standalone Device Management Portal application. Device management is an integral component of Duo's Universal Prompt, and will be delivered via a protected application or updated delivery method not using the Device Management Portal application.
SSL VPN integrations that use LDAPS to communicate with Duo's service directly and require login page customizations on the VPN device to show the Duo Prompt.
VPN integrations that use the Duo Authentication Proxy's
radius_server_iframe configuration to inject the Duo Prompt as an iFrame over RADIUS.
Duo Access Gateway, our on-premises SAML 2.0 single sign-on solution, and by extension all service provider applications that rely on Duo Access Gateway. Duo Access Gateway customers should consider migrating to Duo Single Sign-On.
Duo Authentication for AD FS 2.x. Duo's MFA adapter for AD FS 3.0 and later (supporting Windows Server 2012 R2 and later server releases) will receive the necessary updates for Universal Prompt, but there are no further feature updates planned for the AD FS 2.0 (Windows Server 2008 and 2008 R2) and AD FS 2.1 (Windows Server 2012) Duo two-factor solution. We encourage you to migrate to a more recent version of Windows Server and AD FS.
Duo Applications installed locally that do not show the Duo Prompt today (list not exhaustive):
Any Duo application with an End of Life or End of Support notification on its documentation, i.e. Duo for Drupal 6 and 7.
We'll continue to show and support the iFrame-based Duo Prompt for these applications as we explore alternate configurations that provide a path forward, such as migrating from RADIUS authentication to Duo Single Sign-On SAML implementations.
As Duo adds support for the Universal Prompt to applications, you'll see a new section on the details page of the application indicating your progress toward the Universal Prompt for that application, and that application's update status appears on the Universal Prompt Update Progress report.
Most on-premises applications will require that you install a software update with the necessary changes to support the Universal Prompt on your web application server. This software update may be supplied by Duo or by our technical partners, depending on who developed the integration. Users of cloud-hosted SaaS services may need to make a configuration change to your account to enable the Universal Prompt support, at the direction of Duo or the Duo partner that operates the service.
Once an update becomes available and you've applied it, you then need to authenticate at least once using the updated application so that Duo makes the Universal Prompt activation settings available for that application.
The status shows "Waiting on App Provider" when viewing the Universal Prompt information for an application created by one of Duo's technical partners that has no update available. Contact the application provider to request Duo Universal Prompt support.
Your users continue to see the current Duo prompt experience until an application update becomes available, you apply the update and authenticate using the updated application, and you then activate the Universal Prompt.
Application waiting on update availability
Applications maintained by Duo show the "Waiting on Duo" status when viewing the Universal Prompt information for an application that has no update available. Contact Duo Support to request Duo Universal Prompt support.
Your users continue to see the current Duo prompt experience until Duo makes an application update available, you apply the update and authenticate using the updated application, and you then activate the Universal Prompt.
Application waiting on update availability
When Universal Prompt support becomes available for a given Duo integration, whether maintained by Duo or by a partner (or by you, our customer, for any Duo applications you may have developed in-house), the Universal Prompt details on that application's properties page in the Duo Admin Panel indicates availability of an application software update as "App Update Ready" with a link to update instructions.
Your users continue to see the current Duo prompt experience until you apply the update and authenticate using the updated application, and then activate Universal Prompt for that application.
Application update available
Once you apply the necessary updates to an application and authenticate to Duo with the update in place, the Universal Prompt details show that the application is ready for the new prompt experience. The status "New Prompt Ready" for updated applications reflects that you've done all the work required to update your application for the Universal Prompt.
Duo hosts two applications within our cloud service which we've already updated with Universal Prompt support: Microsoft Azure Active Directory and Duo Single Sign-on (SSO). You can enable the new prompt right away for the Microsoft Azure application or for SSO service provider applications that use Duo Single Sign-On, including Duo Central.
Use the activation control options to determine the login experience for your users:
Show traditional prompt: (Default) Your users experience Duo's traditional prompt when logging in to this application.
Show new Universal Prompt: Your users experience the Universal Prompt when logging in to this application.
Your users continue to see the current Duo prompt experience until you activate the Universal Prompt.
Application ready for Universal Prompt
Activation of the Universal Prompt is a per-application change. Activating it for one application does not change the login experience for your other Duo applications.
Enable the Universal Prompt experience for an application by selecting Show new Universal Prompt in the activation options, and then scrolling to the bottom of the page to click Save.
Once you activate the Universal Prompt, the application's Universal Prompt status shows "Update Complete" here and on the Universal Prompt Update Progress report.
Application using Universal Prompt
Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support.
As Universal Prompt support becomes available for Duo applications, you'll find links to the application update instructions here. Update instructions are also linked from the Universal Prompt section of an eligible application's page in the Duo Admin Panel.
CAS (Central Authentication Service): Upgrade to CAS 6.3.4 or later and then configure the Duo Security multifactor provider.
Confluence: Upgrade from the Duo Confluence v1 plugin to the Duo Atlassian v2 plugin.
Duo Network Gateway: Upgrade Duo Network Gateway to v1.5.10 or later and apply the "Enable Frameless" option for each of your Web and SSH applications in the Network Gateway admin console.
Duo Web SDK 4: Python, Java, Go, and PHP client libraries for adding Duo Prompt to your applications. These clients support both the "Web SDK" and "Partner WebSDK" applications. Update your custom-developed existing Web SDK v2 applications to use Web SDK v4. If you did not develop the application, contact the vendor to find out how to update the application.
Duo OIDC standards-based Auth API: An API for adding the Duo Prompt to your application in any language. Supported by both the "Web SDK" and "Partner WebSDK" applications. Update your custom-developed existing Web SDK v2 applications to use this API if no Web SDK 4 client is available in your required language. If you did not develop the application, contact the vendor to find out how to update the application.
Jira: Upgrade from the Duo Jira v1 plugin to the Duo Atlassian v2 plugin.
Oracle Access Manager (OAM): Upgrade from the Duo OAM v1 plugin to the Duo OAM v2 plugin.
PingFederate: Install the Duo Security Integration Kit 3.0 available from Ping.
Shibboleth: Upgrade to Shibboleth 4.1 or later and then configure the DuoOIDCAuthnConfiguration authentication plugin.
More to come...
The Universal Prompt Update Progress report, accessible at Reports → Universal Prompt Progress in the Duo Admin Panel, acts as a centralized location for determining which of your applications have the new prompt active, monitoring updates to the availability of required software updates needed to support the Universal Prompt, and viewing which applications have the necessary update in place.
Applications not in scope for Universal Prompt do not appear on the Universal Prompt Update Progress report.
When viewing the status information for a given application, we show you the number of users who have authenticated to that application in the past 30 days under the application's name.
Use the tabs to filter the report views by your application's Universal Prompt readiness status:
The traditional prompt experience and WebSDK v2 applications remain supported through the Universal Prompt preview period and after general availability (GA). Duo plans to provide a timeline for eventual deprecation of the traditional prompt, the iframe-based v2 WebSDK, and other applications not in scope for Universal Prompt support when we announce general availability of the Universal Prompt. Duo will communicate the end-of-support information well in advance of the traditional prompt end-of-support date, allowing ample time for migration to supported solutions.
Need some help? Take a look at our Universal Prompt Knowledge Base articles. If you're having issues applying the software updates to support Universal Prompt or require other technical assistance, contact Support.
Please also contact us if you have any feedback about your organization's experience activating and using the Universal Prompt during the public preview.