New iPhone, Who dis? How to Instantly Restore 2FA Settings
It’s finally that time. You bought yourself that new iPhone with a super mega ultra display and six cameras. The excitement of having the latest tech in your hands only lasts for so long before you are met by an authentication prompt. You forgot that your organization had two-factor authentication (2FA) security in place. Your mobile authenticator was on your old device and it just worked, but now it does not. What do you do? You install the app, but none of your accounts are working! How are you going to get in? You might find yourself cursing your security team for this barrier. Fear not, there is an easier way.
At Duo, we thought this whole process was frustrating too. This problem affects all mobile authenticators in the security industry, and has yet to be solved. Operating securely to protect yourself and your organization should be simple, which is why we’re excited to announce our latest feature for iOS: Instant Restore for Duo-protected accounts. Duo mobile users can now seamlessly reactivate their Duo-protected accounts with the tap of a button.
How Does Duo Make This Easier?
We are going to show you how to set up your new phone with iOS: Instant Restore in three easy steps.
Setup Instant Restore for Users in 3 Easy Steps
Double- check that you have iCloud Keychain enabled on your old phone
Backup your old phone
Restore the backup to your new device
Before you get a new iPhone, be sure to make a backup of your old device. When you get a new iPhone, go ahead and set up your new iPhone from an iCloud backup, iTunes backup, or Direct Data transfer (all standard setup mechanisms work). Make sure you’ve logged into your AppleID on your new phone, have iCloud Keychain enabled, and that your keychain has synced to your new device. The first time you open Duo Mobile, you will be presented with the option to get your accounts back. Just hit “Get Started,” and everything will be connected automatically.
Note: When you perform this restore, your Duo-protected accounts on your old device will be deactivated.
Important Note for Admins: Instant Restore needs to be enabled by one of your organization’s Administrators. If your organization is new to Duo, this setting will be on by default. Admins, please see our documentation here for more details. Once enabled, all of your iOS users will be able to benefit from Instant Restore. Simplifying the new phone setup reduces the ticket burden on your help desk staff, as they’ll spend less time generating reactivation links for users.
What Gets Restored?
Instant Restore will transfer your Duo-protected and Duo Admin accounts. Third-party (TOTP) accounts will still require a recovery password to restore access on the new device. Steps to enable Duo Restore for third-party accounts can be found here and it is also pretty easy!
Note: Windows Offline accounts are not restored, and need to be manually reconnected on your Windows machine.
How Does Duo Make Instant Restore for iOS Possible?
When Instant Restore is enabled, Duo Mobile (versions 3.32.0 or later) will leverage iCloud Keychain to store a restoration secret. This secret, along with information we store in the backup, are used upon restore to prove the identity of a user when they get a new device.
With the security assurances afforded by iCloud Keychain, we can transfer the restoration secret securely to the new iPhone, and use it to negotiate a reactivation with Duo’s service. Once a user triggers an Instant Restore to their new device, the old device is deactivated. The new phone then replaces the previous phone associated with the user in Duo’s Admin panel and prompt.
We understand there is some risk to utilizing iCloud Keychain, and although we have faith in the strong security properties of iCloud Keychain, we understand Apple account compromise is still a possibility.
To mitigate this risk we send a push notification to the old phone upon account reactivation, letting a user know a potential malicious actor has fraudulently reactivated their phone. If they confirm this was done by someone other than themselves, we will immediately deactivate both devices, and send a notification email to all Administrators specified in the “alert email” setting. Users will also see this alert every time they open their device for 24 hours after the Instant Restore event has occurred.
What About Android?
We wanted to bring the benefits of Instant Restore for iOS to market as soon as possible to help reduce your help desk burden. However, we know it’s important to have Instant Restore for all mobile users, and we’re working hard on implementing this feature for Android too (you can still restore with a password). Stay tuned for more info!
Parting Thoughts
We’re excited to make Instant Restore and the time it will save our users, and we strongly encourage Admins to consider turning it on!
As always, please let us know what you think. Tweet to us at @duosec or leave us an app review in iTunes or Google Play.
Test drive Duo's 2FA today and sign up for a free trial. Making cybersecurity easy is what we do!