cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1153
Views
1
Helpful
10
Replies

Duo Universal Prompt - (lack of) Default Device option

AnthonyL3
Level 1
Level 1

Hello,

I’ve been attempting to move to the Universal Prompt for years, but there has always been technical blockers. With the announcement that support for the Traditional Prompt is ending in the coming months, I’m growing in concern that gaps I’ve called out haven’t been addressed. In particular, the lack of support for the user to select a Default Device. I’ve opened support cases that have been closed/added to an enhancement, but haven’t heard of a solution being developed.

The Universal Prompt is not available at every integration point (LDAPS/RADIUS authentication proxy) and in real world deployment users are not prompted at all, or using an unexpected method (some of which can’t work). This is a huge gap we found when attempting to roll out the Universal Prompt that produced Incidents which forced us to roll back to the Traditional Prompt. It appears the Universal Prompt work fails to address anything other than Universal Prompt behaviors. For us, this is a must have before the we can move to Universal Prompt because we use other options like LDAP/RADIUS proxies, and CLI integration.

Based on the language in the guide, it’s like the team is fully aware that default devices were removed compared to the Traditional Prompt but don’t understand this is a problem.

https://guide.duo.com/universal-prompt
(Language as-of 2023-01-26)

“Completing Duo login sets the login option you used as the first choice for this application. Future Universal Prompt logins to that application from the same device and browser will automatically use that same method. If you cancel the authentication in process and choose a different device, then the device you use becomes the first choice for that application.

There is no way to turn off automatic device selection, or to explicitly configure a default authentication device.

“Your organization’s Duo administrator may choose to block some authentication options for certain applications, requiring that you choose a different device. Since Duo remembers the last-used authentication device for each application you access, the Universal Prompt should always display the right default option for that application.

You can see this is fully Universal Prompt centric and does not address or acknowledge any behavior or impacts to other integration/prompt use cases using Duo.

How can we raise this issue to the right level of attention?

Thank you.
Anthony

10 Replies 10

DuoKristina
Cisco Employee
Cisco Employee

To raise your issue please contact Duo Support, or your Duo account exec or Duo Care team, to voice support for a feature request for making the default device used configurable in the Universal Prompt.

ETA: rereading your post it sounds like you may have already been added to the relevant feature request from prior support interactions. Do you have a Duo account exec or Duo Care success manager that could facilitate further discussions for you?

Also note that the Duo traditional prompt and iframe end-of-support date is March 2024, which is not quite “in the coming months”. We will keep enhancing the Universal Prompt and working with partners to update their traditional prompt applications throughout 2023.

Duo, not DUO.

Bry-AnnYates
Level 1
Level 1

Hello,

Has any progress been made on this feature request? We have many international students who have both US and foreign numbers. How do they set what number to send the push to depending on what county they are in? We have prohibited the ability to use SMS and Phone, so a mobile app is their only option.

rkno
Level 1
Level 1

Any update? We are also waiting for this feature. Duo support told us that it's on the roadmap but without a release date. March 2024 is pretty soon.

We are qualifying a solution that lets individual users choose a device, but you should still be planning your migration off traditional Duo Prompt and the iframe ahead of the end-of-support milestone this March even if you aren't a fan of automatic device selection in Duo Universal Prompt. Support extensions won't be granted based on this.

Duo, not DUO.

Thanks. We already updated to Universal Prompt. Works fine except for the missing option to select the default device. Therefore we switched back to traditional prompt.

If this feature is not available by the end of March we will face many unhappy users and increased support effort to manually switch default devices in the admin portal - where this is still possible. I really hope you get this done within the next month. If you need any beta testers, feel free to contact me.

The solution coming not the same as the traditional Duo Prompt, where the individual user can select a preferred device for automatic use. It is going to be a per-user setting that turns off automatic selection, so when the user encounters the prompt no factor is automatically selected and the user picks the method they want to use. This feature enters early access in the next release, which rolls out to production over the next 7 days.

If you really want a direct analogue to user-selected default device, please contact Duo Support to submit that feature request.

Duo, not DUO.

You are saying "a per-user setting that turns off automatic selection" is coming soon. If I understand correctly, if you turn off the auto selection and you access let's say a Duo protected website, you will be asked "which device to use for MFA?" and then you authenticate using that device. Correct?

The big question here, when the user connects to a remote desktop and authenticates at the RD Gateway, which MFA device will be selected? Connections via RD Gateway can't show a pop-up asking for "which device to use for MFA?". What's the fallback solution here? (btw. @AnthonyL3, who started the discussion also referred to this issue with applications that cannot show a prompt at all.)

If it would be the "last used device" that could be a solution. In this case, if the user wants to switch the device for RD Gateway authentication, he/she would only need access a website with Universal Prompt first, select the desired device, authenticate and close the website. Afterwards connect to RD Gateway and get the prompt at the last used device.

For applications that do not show an interactive Duo prompt in a browser but do show some Duo UI at the client, such as Duo Unix and Duo for Windows and Mac logon, the default device used would be the first phone device listed for the user in the Duo Admin Panel, and the UI will offer other compatible authentication method options as alternate selections. For applications that do not show any Duo authentication UI at all, like Duo for RD Gateway or RADIUS/LDAP auto configurations using Duo Authentication proxy, the default device used is the first phone device attached to the user in the Admin Panel that is capable of Duo Push or phone call methods, with no other method possible. These applications are based on Duo's Auth API, not Duo's Web SDK.

This device preference for non-browser API apps hasn't ever been manageable by the end user and that remains unchanged.

The last-used device behavior is exclusive to Duo Universal Prompt and is determined via a browser cookie, so it's impossible to have that information apply to non-browser auths. The per-user setting that turns off automatic selection is only effective for Universal Prompt as well. Learn more about it here: https://duo.com/docs/administration-users#change-user-authentication-experience (noting that the option is rolling out in the D285 release, which your specific Duo deployment might not receive until the end of next week).

Duo, not DUO.

rkno
Level 1
Level 1

Thanks for clarifying. Your absolutely right "This device preference for non-browser API apps hasn't ever been manageable by the end user and that remains unchanged".

But at least with the old prompt we could provide access via RD Web for example. This is based on Web SDK and allows setting the preferred device. Every time the user needed to change the default device he/she accesses RD Web, sets the default and connects via RD Gateway which respects the default device setting.

From what I understand, RD Gateway still respects the default device or device order (first with push or call) but the option to change that is gone. In my view this is a missing feature of Universal Prompt. Before user + admins could change it. Now only admins.

Any chance to put this in as a feature request?

DuoKristina
Cisco Employee
Cisco Employee

You can submit anything as a feature request by contacting your Duo Care team if you have one, or Duo Support if you don't.

Duo, not DUO.
Quick Links