T-Minus 365 and Counting! Deploy Universal Prompt to Strengthen Security While Improving User Experience
It’s time to get started with your migration from Duo Traditional Prompt to Duo Universal Prompt. This redesigned version came out last year. There are dozens of benefits that come with the new prompt. In our last Universal Prompt blog we focused on a few of the security benefits that using it provides. In this blog we’ll get into more of the user experience benefits.
Why do we start our one-year countdown to the Duo Universal Prompt upgrade today? Effective March 30, 2024, Duo will no longer support the traditional Duo Prompt.
A few specific reasons to move to the Duo Universal Prompt
The Universal Prompt is Duo's latest authentication interface that enables easier, and more secure authentication for users. The following functionality is ONLY available with Universal Prompt and as Cisco Duo continues to develop innovative new security functionality it will be built on Universal Prompt:
Built-In Security – The Universal Prompt is a requirement to implement many of our latest security features and it will continue to be moving forward.
Self-Service Portal – Admins have the ability to put security DIY capabilities in the hands of their users enabling them to self-enroll and manage their authentication devices.
Improved User Experience – The Universal Prompt is a major redesign with new styling and a workflow-based authentication experience.
Let’s take a closer look at what these improvements mean for users and admins:
Universal Prompt Built-In Security
Risk-Based Authentication is an essential feature that requires Universal Prompt. It challenges users with the right authentication method based on their threat context. We know push is a popular multi-factor authenticator and while it is a secure method, we know cyber criminals have found ways to trick users into inadvertently accepting requests on their behalf.
Verified Duo Push (known as “number matching” in the industry) solves this, but companies do not want to demand it of all users in circumstances when it may not be required. Risk-Based Authentication automatically presents it to users when it determines need, based on “risk factors”, analyzed with machine learning. However, to implement this powerful functionality organizations must implement Univeral Prompt.
Also the Universal Prompt web-based redesign included a major shift in its architecture that includes many benefits over the Traditional Prompt. Universal Prompt utilizes OpenID Connect and moves away from using iFrames, which eliminates the need for additional security configurations like allowed hostnames that is recommended with the Traditional Prompt.
Universal Prompt Self-Service Portal
The Self-Service Portal can be enabled by a Duo administrator on a per-application basis. It enables a DIY (do-it-yourself) approach to reduce helpdesk involvement. Users can add additional verification methods, manage their existing devices, or reactivate Duo Mobile for Duo Push from the Universal Prompt.
Users may add or edit their available devices by going to “Other options” in the Universal Prompt and then selecting “Manage devices” (which now occurs in a separate page rather than within the frame of the prompt itself, in contrast to the traditional Duo Prompt). From there, they will visit a page listing their current devices and be able to add or edit devices.
Universal Prompt Experience Enhancements
Ease of use can potentially save a significant amount of time for companies in direct correlation to the number of users enrolled. The Universal Prompt improved experience is a result of extensive research by Duo design teams into how to optimize the authentication workflow for users’ personas. Long story short, it’s streamlined and removes clutter.
Some of the key enhancements include:
Last-Used Method – Rather than showing the user multiple authentication options simultaneously, the Universal Prompt only shows the last-used authentication method whenever users log in. This saves a click and makes the experience faster.
Remember Me – The “Remember me” button is front and center in the Universal Prompt, so you can easily trust your browser. This, in turn, allows you to save time logging in by avoiding the second-factor prompt unnecessarily.
Automatic Duo Push – If Duo Push authentication is selected by a user – or automatically selected on behalf of a user during a first-time authentication – then Duo sends the push notification to the user’s activated device.
Automatic Device Selection – The first time a user accesses the Universal Prompt for a given application, Duo automatically presents the most secure authentication option available to the user.
Improved User Guidance – This includes contextual user and error messages in plain language, with instructions to the user on how to solve the issue. These are also displayed more visibly for better comprehension.
Enhanced Web Accessibility – Cisco is committed to designing and delivering accessible products company wide. The Universal Prompt is designed to meet Web Content Accessibility Guidelines (WCAG) 2.1 at the AA level.
According to the 2022 Duo Trusted Access Report, Duo Push is the most-used authentication method, accounting for 27.6% of all authentications.
Upgrading to the Universal Prompt
How do you know whether you applications need to move to the Universal Prompt?
Universal Prompt migration is required for applications that show the traditional Duo Prompt and device management as a web page today, with a few exceptions:
In-Scope Applications – Some of the applications listed in the Duo Universal Prompt Upgrade Guide, like Jira, only require a Duo plugin in order to support them. Others, like Microsoft Azure, already support the Duo Universal Prompt and just need to have it selected in the Duo Admin Console.
Out-of-Scope Applications – Some Duo iframe-based integrations will not use the Universal Prompt. These include SSL VPN integrations that use LDAPS. The progress report found in the Admin Console will reflect this.
Unaffected Applications – Duo Applications that do not show the browser-based Duo Prompt today are neither in-scope for Universal Prompt support nor affected by the planned traditional Duo Prompt end-of-life.
How can you upgrade your environment to the new Universal Prompt?
Most on-premises applications require administrators to install a software update with the necessary changes to support the Universal Prompt on their web application servers. This software update may be supplied by Duo or by our technology partners, depending on who developed the integration. Cloud-hosted software-as-a-service (SaaS) may require limited account changes.
Get to know the Duo Universal Prompt today
Now is a great time to upgrade from the traditional prompt to the Universal Prompt. After you upgrade, your users will have a much better experience engaging with a more efficient design and experience-focused features. Your admins will be able to better secure their environments with a rich set of security functionality that only the Universal Prompt enables. Plus, you’ll be able to transition to the Duo Universal Prompt before we end-of-life the traditional Duo Prompt on March 30, 2024.
For more information on Duo Universal Prompt, check out how it’s utilized by reading the Duo Guide to Two-Factor Authentication. And for specifics on Universal Prompt implementation, see our documentation in the Duo Universal Prompt Update Guide.