Duo Universal Prompt

Introducing Duo's refreshed authentication experience, the Universal Prompt.

About the Duo Universal Prompt

When you log into an application protected with Duo using a web browser or certain client applications, you see a Duo prompt after entering your application login information.

The Universal Prompt provides a simplified Duo experience over the traditional prompt, helping you log in to your applications faster than before.

You'll notice that the Duo login options look different from how they did in the traditional prompt, but the Universal Prompt still supports a wide range of Duo login options so you (or your Duo administrator) can choose the options that work best for your organization.

Another difference between the Universal Prompt and the traditional prompt is that the traditional prompt loads on a web page that's part of your organization's application, while with the Universal Prompt your browser redirects to a page hosted by Duo for you to verify your login attempt, and then redirects back to the application.

Here's a comparison of logging in with Duo Push in the Universal Prompt and traditional prompt:

Universal Prompt Traditional Prompt
Duo Push in Universal Prompt Duo Push in Traditional Prompt

Supported Browsers

The Universal Prompt supports Chrome (Desktop and Mobile), Firefox, Safari (Desktop and Mobile), Edge, and Internet Explorer. Not all browsers support all Duo authentication methods, so for the widest compatibility we recommend Chrome.

Check the table below for supported browser versions and Duo login option compatibility. Duo's support for the minimum browser version includes Duo Push, passcode, and phone call authentication options. Other login options, like Touch ID, may require a different browser or a newer minimum browser version, as noted in the table.

Browser Minimum Supported
Version
Security Keys
Minimum Version
Touch ID
Minimum Version
Chrome 38 70 70
Safari 9 13 on macOS
13.4 on iOS
Not supported
Firefox 47 60 Not supported
Edge 17 79 Not supported
Internet Explorer 11 Not supported Not supported

While other browsers may work with the Universal Prompt, Duo actively tests and supports the browsers and minimum versions listed in the table.

When you log in Duo checks your current browser or client compatibility with the Universal Prompt. If your browser or client is not compatible, Duo will show you the traditional prompt experience instead.

Language Support

Duo's Universal Prompt supports English, Spanish, French, German, and Japanese. Your browser's language settings determine the language shown in the prompt, with no extra configuration necessary.

Log In With the Duo Universal Prompt

After completing Duo enrollment (or if your Duo administrator set you up to use Duo), you'll see the Duo prompt the next time you perform a browser-based login to a web service or application protected with Duo.

When you log in with the Universal Prompt, Duo remembers the authentication device you used to log in to that application before and defaults to that option.

The first time you log in with Duo using the Universal Prompt, Duo chooses one of your configured login options automatically. If you have a phone or tablet with Duo Mobile activated, the Universal Prompt will send you a Duo Push. If you approve the Duo Push request from your phone or tablet, Duo remembers that you were able to use Duo Push with this application so that the next time you log in you'll receive an automatic Duo Push. If instead of approving the automatic Duo Push you switch to use your security key to log in, the next time you log in to that application you'll automatically land on the security key option in the prompt.

Your organization's Duo administrator may choose to block some authentication options for certain applications, requiring that you choose a different device. Since Duo remembers the last-used authentication device for each application you access, the Universal Prompt should always display the right default option for that application.

Choose a Different Method

If you ever want to choose a different device or Duo method than the one shown automatically by the Universal Prompt, click Other options near the bottom. This takes you to a list of all your available Duo authentication options. Click on the one you want to use and follow the instructions shown to complete logging in to the application.

List of Authentication Options in Universal Prompt

Your organization might apply a policy that prevents the use of some authentication methods for one or all applications. If so, those options won't show up in the list.

Remembered Devices

If your organization's policy allows it, you may be able to skip authenticating with Duo again for a set amount of time. After you approve the Duo authentication request, you'll see the option to trust this browser. Check the box to remember your browser for the amount of time shown. When that trust period ends, you will need to perform Duo authentication again.

Depending on the policy applied by your Duo administrator, this may trust your browser across all your organization's Duo-protected applications, or there may be unique policies applied to applications that require you to perform Duo authentication again regardless of whether you trusted your browser. Ask your Duo administrator or help desk for more information.

Do not check this option when using a public or shared computer! This could leave your Duo session available to other users. Trust the browser only when you access applications from your own computer.

Remember Device Option in Universal Prompt

Duo Universal Prompt Login Options

Availability of the following Duo login options in the Universal Prompt depends on your browser or browser version, or on the policies applied by your organization's Duo administrator.

Duo Push

Pushes a login request to your iOS or Android phone or tablet if you have Duo Mobile installed and activated. Review the request on your phone or tablet and tap Approve to log in to the application.

Duo Push in Universal Prompt

Security Key

A security key plugs into your USB port and when tapped or pressed it sends a signed response back to Duo to verify your login. Duo uses the WebAuthn authentication standard to interact with your security keys. You may also see WebAuthn referred to as "FIDO2".

In order to use a security key with Duo, make sure you have the following:

  • A supported browser (check the table above to verify your browser supports security keys).
  • An available USB port.
  • A WebAuthn/FIDO2 security key. WebAuthn/FIDO2 security keys from Yubico or Feitian are good options. U2F-only security keys (like the YubiKey NEO-n) are not supported.

Insert your security key if not already plugged in, and then tap or press your security key when prompted to log in to the application. Some types of keys flash as a prompt for you to authenticate.

Security Key in Universal Prompt

Fingerprint Sensor

Fingerprint authentication lets you use your device's fingerprint sensor for Duo login verification. Duo supports fingerprint verification with Touch ID on Apple MacBooks and Magic Keyboards.

Touch ID

In order to use Touch ID with Duo, make sure you have the following:

Touch your Mac's Touch ID sensor when prompted to log in to the application. If you aren't able to access the Touch ID sensor (such as when you close and dock your laptop), then you can choose to type in your Mac login password instead to verify.

Fingerprint in Universal Prompt

Duo Mobile Passcode

Log in using a passcode generated by the Duo Mobile app installed and activated on your Android or iOS device. Open Duo Mobile and locate your organization's account in the accounts list, and tap it to generate a six-digit passcode. Enter that passcode into the space provided and click or tap Verify to log in to the application.

Duo Mobile Passcode in Universal Prompt

YubiKey Passcode

Log in using a passcode generated by a YubiKey. Connect or plug in your YubiKey and press it to generate and submit a passcode to log in to the application.

Your administrator must have configured the YubiKey for passcode use in Duo. This is a separate function from using a YubiKey as a security key.

YubiKey Passcode in Universal Prompt

Hardware Token Passcode

Log in using a passcode generated by a hardware token provided to you by your organization. Enter that passcode into the space provided and click or tap Verify to log in to the application.

Hardware Token Passcode in Universal Prompt

Text Message Passcode

Log in using a passcode received from Duo in a text message. When you land on the text message page, it will show that a text message was just sent to you with a passcode. When you receive the message, enter that passcode into the space provided and click or tap Verify to log in to the application.

If you did not receive the text message from Duo, use the Send a new passcode link to try sending it again.

Passcodes received in a text message expire when used.

Text Message Passcode in Universal Prompt

Phone Call

Authenticate via phone callback. Answer the phone call from Duo and follow the voice instructions to log in to the application.

Phone Call in Universal Prompt

Bypass Code

Log in using a code provided by your organization's Duo administrator or help desk. Enter that code into the space provided and click or tap Verify to log in to the application.

Bypass Code in Universal Prompt

First-time Enrollment in Duo

Enrollment is the process that registers you as a user in Duo with a device capable of performing two-factor authentication. Duo prompts you to enroll the first time you log into into a protected VPN or web application when using a browser or client application that shows the interactive Duo web-based prompt. Follow the on-screen prompts to set up your Duo authentication device.

Instead of enrolling when you log in to an application, you might receive an email from your organization's Duo administrator with an enrollment link instead. For now, an emailed enrollment link takes you to enrollment in the traditional Duo prompt.

Step One: Introduction

Logging into a Duo-protected application enabled for self-enrollment takes you to the device management page to enroll. Click Next to learn why protecting your identity with two-step verification is important and begin the setup process.

Begin Universal Enrollment

Step Two: Choose Your Verification Method

Click the device type in the list that matches your desired authentication experience:

  • Touch ID: Use the fingerprint sensor on Apple MacBooks and Magic Keyboards. Requires Chrome 70 or later.
  • Duo Mobile App: Approve Duo Push verification requests on iOS or Android devices, or generate a one-time passcode from the Duo Mobile app.
  • Security Key: Tap a WebAuthn/FIDO2 security key. Requires Chrome, Safari, Firefox, or Edge.
  • Add call or text: Receive a one-time passcode in an SMS message or approve a login attempt with a phone call from Duo.

Only your organization's Duo administrator or help desk can add hardware tokens and Yubikey OTP tokens for you. These verification options do not show up in the list of available options. Neither do any methods that your organization blocks from use; if your Duo administrator applied a policy that doesn't allow authentication with text messages or phone calls, the "Add call or text" option will be missing when you enroll.

Select Identity Verification method

Step Three: Add Your Chosen Method

Once you choose how to verify your identity, you will next complete the setup steps for that method.

Touch ID

In order to use Touch ID with Duo, make sure you have the following:

  1. Read the Touch ID information and click Add Touch ID.
    Begin Touch ID Enrollment
  2. Chrome prompts you to verify your identity on duosecurity.com.
    Chrome Touch ID Prompt
  3. Place your finger on the Touch ID button in the Touch Bar to complete Touch ID enrollment.
    Touch ID on MacBook Pro
  4. When you receive confirmation that you added Touch ID as a verification method click Continue to login to log in to the application using your fingerprint sensor.
    Touch ID Enroll Success

If you have more than one MacBook with which you'd like to approve Duo login requests using Touch ID, you'll need to add each of them separately as a new Touch ID device in Duo. To do this, your organization must have enabled self-service device management.

Duo Mobile App

Duo Mobile is an app that runs on iOS and Android phones and tablets. It's fast and easy to use, and doesn't require cell services. Duo pushes login requests to Duo Mobile when you have mobile data or wifi connectivity to the internet. When you have no data service, you can generate passcodes with Duo Mobile for logging in to applications.

The current version of Duo Mobile supports iOS 12.0 or greater and Android 8 or greater.

  1. Select your country from the drop-down list and type your mobile phone number, and then click Add phone number.
    Enter Phone Number for Duo Mobile
    If you're going to use Duo Mobile on a tablet (like an iPad) with no phone service, don't enter a phone number and click I have a tablet instead.
  2. If you entered a phone number, double-check that you entered it correctly and click Yes, it's correct to continue (or No, change it to go back and enter the number again).
    Confirm Phone Number for Duo Mobile
  3. Download and install Duo Mobile on your phone or tablet from the Google Play Store or Apple App Store. Once you have Duo Mobile installed click Next.
    Install Duo Mobile
  4. Open the Duo Mobile app on your phone or tablet and add this account by scanning the barcode shown on-screen.
    Scan Barcode in Duo Mobile
    If you aren't able to scan the barcode, tap Or email activation code and then enter your email address to send the activation link to yourself. Follow the instructions in the email to activate the new account in Duo Mobile.
  5. When you receive confirmation that Duo Mobile setup succeeded click Continue to login to log in to the application with Duo Push or with Duo Mobile passcode.
    Duo Mobile Enroll Success

Security Key

A security key is an external device that when tapped or when the button is pressed sends a signed response back to Duo to validate your login. Duo uses the WebAuthn authentication standard to interact with your security keys. You may also see WebAuthn referred to as "FIDO2".

To use a security key with Duo, make sure you have the following:

  1. Read the security key information and click Add Security Key.
    Begin Security Key Enrollment
  2. Your browser prompts you tap your security key to use it with Duo (Chrome example shown).
    Chrome Security Key Prompt
  3. Your browser may prompt you to confirm that you do want to allow duosecurity.com to know information about the security key (Chrome example shown).
    Chrome Security Key Confirmation
  4. When you receive confirmation that you added your security key as a verification method click Continue to login to log in to the application using your security key.
    Security Key Enroll Success

Phone for Call or Text

This option is suitable for mobile phones that can't run Duo Mobile, or office phones and landlines.

  1. Select your country from the drop-down list and type your phone number, and then click Add phone number.
    Enter Phone Number
    If this phone number is a landline and can't receive text messages, select the This is a landline phone option before continuing.
  2. If you opted to add a landline, enter the extension on the next screen and click Add extension or click Skip this step if you do not need to enter an extension for your landline.
    Enter Landline Extension
  3. Verify that the phone number shown (and landline extension, if you entered one) is accurate and click Yes, it's correct to continue (or No, change it to go back and enter the number again).
    Confirm Phone Number
  4. When you receive confirmation of adding the new phone number, click Continue to login to log in to the application with a passcode received via text message or a phone call from Duo.
    Duo Phone Number Enroll Success

Add or Manage Devices After Enrollment

If enabled by your administrator, you can add additional verification methods or manage your existing devices from the Duo Universal Prompt.

When logging in to an application with the Universal Prompt, click the Other options link on the authentication page to view your list of available methods. If your organization enabled self-service device management then you'll see a Manage devices choice at the end of the list. Click that to enter the device management portal.

Manage Devices Option

To access the device management you'll first need to verify your identity, just as you do when logging in to a service or application protected by Duo. Click on an available option to verify your identity. If you're visiting device management to delete or update a device you don't have anymore (such as phone you lost or replaced), be sure to pick a verification option that you still have with you. If you don't have any devices you can use to authenticate to device management, contact your organization's Duo administrator or help desk.

Verification for Device Management

After approving a Duo authentication request, you can see all your registered devices in the device management portal.

Device Management Portal

Add Another Device

To add a new method of verifying your identity in Duo, click Add a device and select one of the verification options.

Add a New Device

Duo takes you through the steps of adding the new device, just like first-time enrollment. The difference between adding a new device from device management and during first-time enrollment is that when you have finished enrolling the new device you return to the device management page to view all your registered devices, including the new one, instead of continuing to log into an application.

Newly Added Device in Device Management Portal

Rename or Remove a Device

Click Edit and then Rename to give a device a new name to help you identify it. This new name shows up in the verification method list and on the authentication page when you log in with Duo to make it easier for you to identify which device you're using.

Rename a Device

To delete a device, click Edit and then Remove. You'll be able to confirm that you want to remove this device before deleting it. Once deleted, a verification device can't be restored, but if you still have the device available you can add it again. You can't delete your only identity verification device.

Confirm Device Deletion

Reactivate Duo Mobile for an Existing Device

Duo's traditional prompt's device management offered a link to reactivate a device previously enrolled and activated with Duo Mobile. In the Universal Prompt device management portal, there is not an explicit link to reactivate Duo Mobile for a phone or tablet, but you can do this by adding a new Duo Mobile device and entering the same phone number that you used before. The enrollment steps will let you scan the activation barcode with your phone, effectively reactivating it for Duo Push and Duo Mobile passcode generation.

Software Updates and Device Health

The Universal Prompt preview will include software update and device health checks in a future release. Until then, you will fall back to the traditional Duo Prompt for the device health and software checks and notifications.

Personal Devices

Your organization may choose to block access to applications from devices not managed by the organization. The Universal Prompt preview will include device management checks in a future release. Until then, you will fall back to the traditional Duo Prompt for the managed device check and any notifications.

How to Get Help

If you can't authenticate or aren't sure what to do, contact your organization's Duo administrator or help desk for guidance. If you click Need help? at the bottom-left of the Universal Prompt your administrator may have customized the help text with further instructions or contact information. Please do not contact Duo Support directly, as Duo Support can only assist named Duo account administrators.