Skip navigation
Documentation

Duo Universal Prompt Update Guide

Last Updated: March 23rd, 2021

Contents

Introducing the Universal Prompt

Duo's next-generation authentication experience, the Universal Prompt, is coming to web-based applications that display the current Duo Prompt in browsers and select thick-client applications that use single sign-on. The Universal Prompt experience will deliver an updated look and feel designed to make it easier than ever for end-users to to enroll an authentication device in Duo, log in to Duo-protected services, and manage their devices via self-service.

Duo Push in the Universal Prompt

Learn more about the design process for the Universal Prompt on the Duo Blog.

When the Universal Prompt becomes available, complete migration from the current prompt will be a two-step process:

  1. (Limited Current Availability) Update the application to support the Universal Prompt. This may involve installing a software upgrade provided by Duo or one of our technology partners on your application server, or making a configuration change in the admin console of a cloud-hosted application where you use Duo.

    Duo and our partners are working to make these application updates available now, in anticipation of the future Universal Prompt experience.

  2. (Future Availability) In the Duo Admin Panel, enable the Universal Prompt experience for users of that application after performing any necessary app updates.

Watch the Duo Blog for future updates about the Duo Universal Prompt.

Changes to Support the Universal Prompt

We've made some underlying changes to support the Universal Prompt user experience.

Move Away from iFrames

The current Duo Prompt is delivered via an inline frame (or "iFrame") using our v2 WebSDK, which means that the Duo Prompt web content is embedded within a web page hosted by the protected application.

Duo Prompt iFrame Experience Example

When planning for the Universal Prompt it soon became apparent that switching from use of inline frames to a "frameless" approach, derived from OIDC standards, would provide enhanced stability and compatibility across our web application integrations, and lay a foundation for future improvements to Duo authentication and device trust.

The most obvious difference between today's iFrame Duo 2FA applications and updated frameless Duo 2FA applications is that instead of showing the Duo Prompt within a page hosted by the application, the application will instead redirect to a page hosted by Duo at duosecurity.com to show the Duo Prompt, and then redirect back to the protected application after the user completes two-factor authentication.

Duo Prompt Frameless Experience Example

To achieve the "iFrame to frameless" migration, we've updated the Duo Web SDK with this new technical design as version 4.0, and will then utilize the updated v4 SDK to bring the Universal Prompt to Duo's own web application integrations such as 2FA for Confluence, Duo Authentication for AD FS, and Duo Network Gateway, to name just a few.

Customers and technical partners can access the Duo Web v4 SDK and OIDC standards-based API today to begin the process of updating developed Duo integrations to support the Universal Prompt.

Read more about the new developer tooling supporting the Universal Prompt on the Duo Blog.

Renamed Application Fields

Each Duo application you create has a unique identifier and an associated key used to sign or verify the two-factor authentication request. These have been called the "Integration Key" or ikey and the "Secret key" or ikey.

We've relabeled these two pieces of application information to better align with the OAuth 2.0 specification. These values are now known as the "Client ID" or client_id and the "Client secret" or client_secret.

The names may have changed, but the values remain the same.

Universal Prompt Application Scope

As mentioned, Duo's Universal Prompt is coming to applications that show the Duo Prompt and device management as a web page today, but with some exceptions. The following Duo 2FA offerings are not in scope for the Universal Prompt:

We'll continue to support the iFrame Duo Prompt for these applications as we explore alternate configurations that provide a path forward, such as migrating from RADIUS authentication to Duo Single Sign-On SAML implementations.

Application Updates

As Duo adds support for the Universal Prompt to applications, you'll see a new section on the details page of the application indicating your progress toward the Universal Prompt for that application.

Waiting on App Provider

Most on-premises applications will require that you install a software update with the necessary changes to support the Universal Prompt on your web application server. This software update may be supplied by Duo or by our technical partners, depending on who developed the integration. Users of cloud-hosted SaaS services may need to make a configuration change to your account to enable the Universal Prompt support, at the direction of Duo or the Duo partner that operates the service.

The status shows "Waiting on App Provider" when viewing the Universal Prompt information for an application that has no update available. Contact the application provider (which may be Duo, or one of Duo's partners) to request Duo Universal Prompt support.

Your users continue to see the current Duo prompt experience until an application update becomes available, you apply the update, and you then activate the Universal Prompt (when ready).

Application waiting on update availability

Universal Prompt Info - Update Not Yet Available

App Update Ready

When Universal Prompt support becomes available for a given Duo integration, whether maintained by Duo or by a partner (or by you, our customer, in the case of Duo application you may have developed in-house), the Universal Prompt details on that application's properties page in the Duo Admin Panel will indicate availability of an application software update as "App Update Ready", with a link to update instructions.

Your users continue to see the current Duo prompt experience until you apply the update and you then activate the Universal Prompt (when ready).

Application update available

Universal Prompt Info - Update Available

Waiting on Duo

Once the necessary updates have been applied to an application, the Universal Prompt details show that the application is ready for the new prompt experience. The status "Waiting on Duo" for updated applications reflects that you've done all the work required to update your application for the Universal Prompt.

When Duo makes the Universal Prompt generally available, the status for these applications will update to "New Prompt Ready" and you'll be able to activate the new prompt experience for your users.

Your users continue to see the current Duo prompt experience until you activate the Universal Prompt (when ready).

Application ready for Universal Prompt

Universal Prompt Info - Application Updated

Universal Update Progress

Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support.

Application Update Instructions

As Universal Prompt support becomes available for Duo applications, you'll find links to the application instructions here.

  • Microsoft Azure Active Directory: The prompt for this application is hosted within Duo's cloud service, so we've already made the application updates necessary to support the Universal Prompt experience. No further action needed at this time.

  • Duo Single Sign-on: Duo Single Sign-On is a SAML identity provider hosted in Duo's cloud service. Any SSO service provider application that uses Duo Single Sign-On is ready for the Universal Prompt, including Duo Central. No further action needed at this time.

  • Duo Web SDK 4.0: Python, Java, and PHP client libraries for adding Duo Prompt to your applications. Update existing Web SDK v2 applications.

  • Duo OIDC standards-based Auth API: An API for adding Duo Prompt to your application in any language. Update existing Web SDK v2 applications.

  • Atlassian Confluence: Upgrade to the Duo v2 plugin.

  • Atlassian Jira: Upgrade to the Duo v2 plugin.

  • Duo Network Gateway: Upgrade to v1.5.10 or later and apply the "Enable Frameless" option for each of your Web and SSH applications in the Network Gateway admin console.

  • PingFederate: Install the Duo Security Integration Kit 3.0 available from Ping.

  • Central Authentication Service (CAS): Upgrade to CAS 6.3.0 or later and then configure the Duo Security multifactor provider.

  • Shibboleth: Upgrade to Shibboleth 4.1 or later and then configure the DuoOIDCAuthnConfiguration authentication plugin.

  • Additional applications to follow...

Universal Prompt Enablement

When the Universal Prompt end-user experience becomes available, you'll be able to activate it for a single Duo application from the Universal Prompt area of the application's page, or enable it for multiple applications from the Universal Prompt Update Progress report.

Until that time, the "Activate Universal Prompt" control shall remain inactive (greyed out), and users continue to experience the current Duo prompt.

Universal Prompt Private Preview

If you've updated an eligible application so that its update status shows "Waiting on Duo" and you're interested in participating in a private preview of the Universal Prompt experience, please apply using this form.

Track Universal Prompt Update Progress

The Universal Prompt Update Progress report, accessible at ReportsUniversal Prompt Progress in the Duo Admin Panel, acts as a centralized location for determining which of your applications will be capable of supporting the new prompt, monitoring updates to the availability of required software updates needed to support the Universal Prompt, and viewing which applications have the necessary update in place.

Later, when the Universal Prompt becomes available, the progress report will show which applications are ready for you to activate the new prompt and which applications have already completed the full Universal Prompt UI migration. When viewing the status information for a given application, we show you the number of users who have authenticated to that application in the past 30 days under the application's name.

Universal Prompt Update Progress Report

Use the tabs to filter the report views by your application's Universal Prompt readiness status. Note that those applications with "Waiting on Duo" status show up on the "New Prompt Ready" tab.