Duo's next-generation authentication experience, the Universal Prompt, is coming to web-based applications that display the current Duo Prompt in browsers and select thick-client applications that use single sign-on. The Universal Prompt experience will deliver an updated look and feel designed to make it easier than ever for end-users to to enroll an authentication device in Duo, log in to Duo-protected services, and manage their devices.
When the Universal Prompt becomes available, migration will be a two-step process:
Watch the Duo Blog for future updates about the Duo Universal Prompt.
The current Duo Prompt is delivered via an inline frame (or "iFrame") using our WebSDK, which means that the Duo Prompt web content is embedded within a web page hosted by the protected application.
When planning for the Universal Prompt it soon became apparent that switching from use of inline frames to a "frameless" approach, derived from OIDC standards, would provide enhanced stability and compatibility across our web application integrations, and lay a foundation for future improvements to Duo authentication and device trust.
The most obvious difference between today's iFrame Duo 2FA applications and updated frameless Duo 2FA applications is that instead of showing the Duo Prompt within a page hosted by the application, the application will instead redirect to a page hosted by Duo at
duosecurity.com to show the Duo Prompt, and then redirect back to the protected application after the user completes two-factor authentication.
To achieve the "iFrame to frameless" migration, we've updated the Duo Web SDK with this new technical design as version 4.0, and will then utilize the updated v4 SDK to bring the Universal Prompt to Duo's own web application integrations such as 2FA for Confluence, Duo Authentication for AD FS, and Duo Network Gateway, to name just a few.
Customers and technical partners can access the Duo Web v4 SDK and OIDC standards-based API today to begin the process of updating developed Duo integrations to support the Universal Prompt.
As mentioned, Duo's Universal Prompt is coming to applications that show the Duo Prompt as a web page today, but with some exceptions. These Duo 2FA offerings are not in scope for the Universal Prompt:
SSL VPN integrations that use LDAPS to communicate with Duo's service directly and require login page customizations on the VPN device to show the Duo Prompt.
VPN integrations that use the Duo Authentication Proxy's
radius_server_iframe configuration to inject the Duo Prompt as an iFrame over RADIUS.
Duo Access Gateway, our on-premises SAML 2.0 single sign-on solution, and by extension all service provider applications that rely on Duo Access Gateway.
Duo Applications installed locally that do not show the Duo Prompt today (list not exhaustive):
Any Duo application with an End of Life or End of Support notification on its public documentation, i.e. Duo for Drupal 6 and 7.
We'll continue to support the iFrame Duo Prompt for these applications as we explore alternate configurations that provide a path forward, like migrating from RADIUS authentication to Duo Single Sign-On SAML implementations.
As Duo adds support for the Universal Prompt to applications, you'll see a new section on the details page of the application indicating your progress towards the Universal Prompt for that application.
Most on-premises applications will require that you install a software update with the necessary changes to support the Universal Prompt on your web application server. This software update may be supplied by Duo or by our technical partners, depending on who developed the integration. Users of cloud-hosted SaaS services may need to make a configuration change to your account to enable the Universal Prompt support, at the direction of Duo or the Duo partner that operates the service.
Application waiting on update availabiility
When Universal Prompt support becomes available for a given Duo integration, whether maintained by Duo or by a partner (or by you, our customer, in the case of Duo application you may have developed in-house), the Universal Prompt details on that application's properties page in the Duo Admin Panel will indicate availability of an application software update, with a link to update instructions.
Application update available
Once the necessary updates have been applied to an application, the Universal Prompt details show that the application is ready for the new prompt experience once released.
Application ready for Universal Prompt
Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support.
As Universal Prompt support becomes available for Duo applications, you'll find links to the application instructions here.
Microsoft Azure Active Directory: The prompt for this application is hosted within Duo's cloud service, so we've already made the application updates necessary to support the Universal Prompt experience. No further action is needed at this time.
Duo Single Sign-on: Duo Single Sign-On is a SAML identity provider hosted in Duo's cloud service. Any SSO service provider application that uses Duo Single Sign-On is ready for the Universal Prompt, including Duo Central.
Duo Web SDK 4.0: Currently in Public Preview. Python and Java client libraries for adding Duo Prompt to your applications.
Duo OIDC standards-based Auth API: Currently in Public Preview. An API for adding Duo Prompt to your application in any language.
Atlassian Confluence: Currently in Public Preview. Upgrade to the v2 plugin.
Atlassian Jira: Currently in Public Preview. Upgrade to the v2 plugin.
Additional applications to follow...
When the Universal Prompt end-user experience becomes available, you'll be able to activate it for a single Duo application from the Universal prompt area of the application's page, or enable it for multiple applications from the Universal Prompt Update Progress report.
Until that time, the "Activate Universal Prompt" control shall remain inactive.
The Universal Prompt Update Progress report, accessible at Reports → Universal Prompt Progress in the Duo Admin Panel, acts as a centralized location for determining which of your applications will be capable of supporting the new prompt, monitoring updates to the availability of required software updates needed to support the Universal Prompt, and viewing which applications have the necessary update in place. Later, when the Universal Prompt becomes available, the progress report will show which applications are ready for you to activate the new prompt and which applications have already completed the full Universal Prompt UI migration.