Universal Prompt Is the Interface to Guard Against Increasingly Sophisticated Application Threat Vectors
Last year, Duo announced the General Availability of the new Duo Universal Prompt. Next year the legacy Duo Traditional Prompt will no longer be supported. Steps to migrate from the latter to the former vary by application, but most involve a handful of steps. Until then your company is missing out on many new security features, improved user experience, and various other features only available with Universal Prompt.
What is Duo Universal Prompt?
The Universal Prompt is Duo's next-generation authentication interface that delivers a better experience for every user. Upgrading to Universal Prompt helps organizations:
Modernize Authentication – Go from legacy authentication protocols, like Radius and LDAP, to modern ones, like SAML and WebAuthn, and get started on a journey towards a passwordless future.
Strengthen Security – MFA attacks like phish bombing, unauthorized device enrollment, and adversary in the middle can wreak havoc on your network; Universal Prompt guards against these with Verified Duo Push and Risk-Based Authentication.
Simplify Secure Access – Modernizing security can be disruptive for users, but Universal Prompt makes it painless with a smooth authentication experience, intuitive web-based design, and several self-service options.
Since its release early last year, we’ve been adding support for a broad set of applications. Last month we added support for Citrix NetScaler Single Sign-On (SSO), and this month we’ve added support for Microsoft Outlook Web Access (OWA) to the long list of Universal Prompt-ready applications.
Universal Prompt for Outlook Web Access (OWA)
When users need to check their inbox for new email and don’t have access to a device with the Outlook Client, they turn to a browser and the Outlook Web Access (OWA) portal to their Exchange email server. OWA has long been a popular interface for users in Microsoft environments, yet it still requires strong authentication to verify user trust, especially for companies that make it available externally.
Cisco Duo has provided strong multi-factor authentication (MFA) for many customers using OWA for many years. Now, those environments can move to the Duo Universal Prompt and enjoy many security and experience benefits.
Duo protects OWA by performing a redirect to the Duo Universal Prompt URL, passing context for authentication and the current OWA URL to return to when authentication completes. Once the user is authenticated by Duo, the browser redirects to the passed OWA URL to complete the authentication and store a Duo session cookie.
The Duo OWA Integration is compatible with Exchange Server 2013, 2016, and 2019 running on Windows Server 2012 or newer. Update Duo for OWA in just three steps, shown on Update Duo for OWA. Then Cisco Duo can continue to provide MFA for OWA as outlined below from the Duo documentation page
For more information see the Duo for OWA FAQ and Duo documentation for OWA.
Universal Prompt for Remote Desktop Web Access (RD Web)
Remote Desktop Web Access (RD Web) is a Microsoft server service, that runs with Internet Information Services (IIS) to provide remote application access using a browser. Duo integrates with RD Web to add two-factor authentication to logons.
Duo’s RD Web implementation now supports the Universal Prompt and all of the functionality it provides including strong authentication. For more information regarding Duo Authentication for RD Web and Microsoft Remote Desktop Services see Duo docs.
Universal Prompt for Citrix NetScaler SSO
Citrix NetScaler is a popular application delivery controller for Citrix Workspace environments. Cisco Duo has provided MFA for those environments for several years and recently has added support for NetScaler SSO.
Duo SSO is our cloud-hosted SSO product, which layers Duo's strong authentication and flexible policy engine on top of Citrix NetScaler logins. Duo Single Sign-On acts as an identity provider (IdP), authenticating your users using existing on-premises Active Directory (AD) or another SSO IdP. Duo SSO prompts users for two-factor authentication and performs endpoint assessment and verification before permitting access to Citrix NetScaler.
Duo Single Sign-On is available in Duo Premier, Duo Advantage, and Duo Essentials plans, which also include the ability to define policies that enforce unique controls for each individual SSO application. For example, you can require that Salesforce users complete two-factor authentication at every login, but only once every seven days when accessing Citrix NetScaler. Duo checks the user, device, and network against an application's policy before allowing access to the application.
Before configuring Citrix NetScaler with Duo SSO using Security Assertion Markup Language (SAML) 2.0 authentication, you'll first need to enable Duo Single Sign-On for your Duo account and configure a working authentication source. Once you have your SSO authentication source working, continue to the next step of creating the Citrix NetScaler application in Duo.
We've already updated the Duo Citrix NetScaler application hosted in Duo's service to support Universal Prompt, so there's no action required on your part to update the application itself. You can activate the Universal Prompt experience for users of new and existing Duo Citrix NetScaler applications from the Duo Admin Panel.
For more information see Duo documentation for NetScaler.
Universal Prompt-ready applications
Here’s a list of some of the many applications that are currently ready for admins to enable Universal Prompt as part of user’s authentication experience. Click links for applications used in your environment to learn more:
Get to know the Duo Universal Prompt
Migrate to Duo Universal Prompt as soon as possible. It’s supported by a broad set of applications, it provides a better user experience, you can implement stronger authenticators, and Duo Traditional Prompt will no longer be supported early next year.
For more information on Duo Universal Prompt, see how in may be utilized in the Duo Guide to Two-Factor Authentication. Or for specifics on its implementation, see documentation on in the Duo Universal Prompt Update Guide. For templates to help roll it out to your users, see Duo Universal Prompt Project End-User Education Communication Templates. For end user guidance on using Universal Prompt see Duo End User Guide on the Universal Prompt.