ACTION REQUIRED: Upgrade to Universal Prompt Now for Better Protection & User Experience
Last year, Duo Security announced the General Availability of the Duo Universal Prompt and many customers have happily upgraded to it from the Duo Traditional Prompt. For our customers who have not yet migrated, we would like you to be aware of a few key reasons that ONLY Universal Prompt provides Duo customers with better protection and improved user experience!
From Traditional Prompt to Universal Prompt
What is Duo Universal Prompt?
The Universal Prompt is Duo's next-generation authentication experience that delivers an easier, more secure, and more accessible authentication for every user. Universal Prompt is Duo's answer to modern security based on zero-trust principles. The Universal Prompt is inherently more secure, as it has updated web-based technology and allows for features that provide "step-up security" such as Verified Duo Push, silent push, Risk-Based Authentication, passwordless, and more.
Upgrading to Universal Prompts helps organizations:
Modernize authentication – Universal Prompt paves the way for customers to modernize their infrastructure and benefit from the latest technologies. For example, updating corporate applications to use SAML (Security Assertion Markup Language) and WebAuth(the Web Authentication API) for authentication mitigates vulnerabilities posed by legacy protocols (RADIUS, LDAP) and weak authentication factors like one-time passcodes. This also helps organizations get started on a journey towards a passwordless future.
Simplify secure access – The move to modernizing and strengthening your IT security infrastructure can be disruptive for end users, but Universal Prompt minimizes user friction with a simple authentication experience and intuitive web-based design.
Strengthen security – Bad actors continue to develop more sophisticated means of social engineering attacks to bypass security controls. Universal Prompt minimizes the risks those attacks pose by enabling Duo customers to implement advanced security measures.
A few key reasons Duo Universal Prompt strengthens security
Our Self-Service Portal, Verified Duo Push, and Risk-Based Authentication functionality is ONLY available using the Duo Universal Prompt. We will also continue to rapidly deliver new functionality built specifically on the Universal Prompt.
Verified Duo Push - Asking users to verify push requests and using number matching mitigates the risk of push harassment and MFA fatigue attacks.
Self Service Portal – Admins can securely enable the new Duo-hosted self-service portal and require strong authentication while empowering users to self-enroll and manage their authentication devices.
Risk-Based Authentication – Reduce user friction and improve security by analyzing risk signals and automatically step up authentication only when necessary.
The benefits of Verified Duo Push
Verified Duo Push makes MFA more secure by mitigating the risk of push harassment and MFA fatigue attacks by requiring additional input to complete authentication. These popular attacks involve bad actors with stolen credentials to an app or service repeatedly submit push verification requests until the confused and weary user unintentionally accepts thinking it was for a session renewal or something similar.
The new verification step included in Verified Duo Push - known generically as number matching - asks the user to enter a set of numbers displayed on their “authentication device” into the authentication prompt on their “access device” in addition to accepting this push. By doing so, the user is protected against inadvertently accepting a fraudulent push request with minimal additional friction. Admins can configure the length of the match code required, from 3-6 numbers, based on their security posture.
Access Device and Authentication Device
For more implementation information see Verified Duo Push documentation.
The benefits of Duo Self-Service Portal
The new cloud-hosted Self-Service Portal provides an optimal way for end users to manage their devices and complete enrollment. Users can add, edit, and remove secure authentication methods from the Universal Prompt while logging into protected applications.
After passing primary authentication, the “Manage Devices” option is shown at the bottom of the current authenticator list. Duo authentication with a previously added authentication method is needed to gain access.
Users can rename or remove existing devices with the “Edit” options, or use “Add a device” to register another authentication device.
The benefits of Duo Risk-Based Authentication
Duo Risk-Based Authentication dynamically challenges users with stronger authentication methods based on risk signals. It complements Verified Duo Push well, as Verified Duo Push is one of those strong authentication methods Risk-Based Authentication uses when it’s deemed necessary based on a risk signal.
Those signals include:
Device trust, including whether key systems are up to date
Location, like access from a prohibited country
Known attack patterns, such as suspicious activity with unusual patterns like repeated failures that can indicate attacks
Wi-Fi fingerprint, which detects when a user roams to another network
Security needs to be easy for users, otherwise they will resist it. Duo Risk-Based Authentication effectively manages trust by presenting users with the right authentication method at the right time for the right risk.
For more implementation information see Risk-Based Authentication documentation.
How can you upgrade your environment to the new Universal Prompt?
Most on-premises applications require administrators to install a software update with the necessary changes to support the Universal Prompt on their web application servers. This software update may be supplied by Duo or by our technology partners, depending on who developed the integration. Cloud-hosted software-as-a-service (SaaS) may require limited account changes.
For more implementation information see Universal Prompt update guide.
Get to know Duo Universal Prompt
Now is a great time to upgrade from Duo Traditional Prompt to Duo Universal Prompt. Your users will have a better experience behind a better, more efficient design, along with a variety of experience-focused features. Also, admins will be able to better protect their environments with the rich set of security functionality that Universal Prompt enables.
Why is Action Required? Effective March 30, 2024, Duo will no longer support the traditional Duo Prompt! Get your plans started ASAP to benefit from the new functionality only available with Duo Universal Prompt!
For more information on Duo Universal Prompt see how in may be utilized in the Duo Guide to Two-Factor Authentication or for specifics on its implementation check out the Duo Universal Prompt Update Guide.