Duo Universal Prompt

Introducing Duo's refreshed authentication experience, the Universal Prompt.

About the Duo Universal Prompt

When you log into an application protected with Duo using a web browser or certain client applications, you see a Duo prompt after entering your application login information.

The Universal Prompt provides a simplified Duo experience over the traditional prompt, helping you log in to your applications faster than before.

You'll notice that the Duo login options look different from how they did in the traditional prompt, but the Universal Prompt still supports a wide range of Duo login options so you (or your Duo administrator) can choose the options that work best for your organization.

Another difference between the Universal Prompt and the traditional prompt is that the traditional prompt loads on a web page that's part of your organization's application, while with the Universal Prompt your browser redirects to a page hosted by Duo for you to verify your login attempt, and then redirects back to the application.

Here's a comparison of logging in with Duo Push in the Universal Prompt and traditional prompt:

Universal Prompt Traditional Prompt
Duo Push in Universal Prompt Duo Push in Traditional Prompt

Supported Browsers

The Universal Prompt supports Chrome (Desktop and Mobile), Firefox, Safari (Desktop and Mobile), Edge, and Internet Explorer. Not all browsers support all Duo authentication methods, so for the widest compatibility we recommend Chrome.

Check the table below for supported browser versions and Duo login option compatibility. Duo's support for the minimum browser version includes Duo Push, passcode, and phone call authentication options. Other login options, like Touch ID, may require a different browser or a newer minimum browser version, as noted in the table.

Browser Minimum Supported
Version
Security Keys
Minimum Version
Touch ID
Minimum Version
Chrome 38 70 70
Safari 9 13 on macOS
13.4 on iOS
Not supported
Firefox 47 60 Not supported
Edge 17 79 Not supported
Internet Explorer 11 Not supported Not supported

While other browsers may work with the Universal Prompt, Duo actively tests and supports the browsers and minimum versions listed in the table.

When you log in Duo checks your current browser or client compatibility with the Universal Prompt. If your browser or client is not compatible, Duo will show you the traditional prompt experience instead.

Language Support

Your browser's language settings determine the language shown in the Universal Prompt, with no extra configuration necessary.

When the Universal Prompt displays English, Spanish, French, German, or Japanese, phone callback authentication will use the same language shown in the prompt.

Chinese (Simplified), Czech, Danish, Finnish, Hindi, Indonesian, Italian, Korean, Norwegian, Polish, Portuguese (Brazil), Swedish, Thai, Turkish, and Vietnamese languages will display in the Universal Prompt, but phone callback authentication will be in English.

Log In With the Duo Universal Prompt

After completing Duo enrollment (or if your Duo administrator set you up to use Duo), you'll see the Duo prompt the next time you perform a browser-based login to a web service or application protected with Duo.

The first time you log in to an application with Duo using the Universal Prompt, Duo chooses one of your configured login options automatically, selecting the most-secure method from the ones you have available.

Duo authentication methods from most to least secure:

  1. Touch ID
  2. Security keys
  3. Duo Mobile push approval
  4. YubiKey passcodes
  5. Duo Mobile generated passcodes
  6. Hardware token passcodes
  7. SMS passcodes
  8. Phone call approval

Duo considers Touch ID and security keys to be the most secure authentication methods, so if you have set up either of these methods and the application allows their use you'll automatically see the prompt to use your fingerprint with Touch ID or tap your security key the first time you log into that application.

The next most secure Duo method is using Duo Mobile to approve push notifications. If you do not have Touch ID or a security key available, but you do have a phone or tablet with Duo Mobile activated, the Universal Prompt will automatically send you a Duo Push the first time you log in to that application.

If you haven't set up Duo Mobile, then the Duo Universal Prompt automatically selects your next available option, following the most to least secure preference order.

If you don't want to use the method Duo automatically suggests for that application, cancel the Duo authentication in progress and click or tap Other options. Then, select the method you want from the list.

Completing Duo login sets the login option you used as the first choice for this application. Future Universal Prompt logins to that application from the same device and browser will automatically use that same method. If you cancel the authentication in process and choose a different device, then the device you use becomes the first choice for that application.

There is no way to turn off automatic device selection, or to explicitly configure a default authentication device.

Your organization's Duo administrator may choose to block some authentication options for certain applications, requiring that you choose a different device. Since Duo remembers the last-used authentication device for each application you access, the Universal Prompt should always display the right default option for that application.

Choose a Different Method

If you ever want to choose a different device or Duo method than the one shown automatically by the Universal Prompt, click Other options near the bottom. This takes you to a list of all your available Duo authentication options. Click on the one you want to use and follow the instructions shown to complete logging in to the application.

List of Authentication Options in Universal Prompt

Your organization might apply a policy that prevents the use of some authentication methods for one or all applications. If so, those options won't show up in the list.

Remembered Devices

If your organization's policy allows it, you may be able to skip authenticating with Duo again for a set amount of time. The first time you approve the Duo authentication request, you'll see the option to trust this browser. This creates a trusted browser session that will let you skip Duo two-factor authentication when you log in again with the same browser and device until that trust session expires.

Depending on the policy applied by your Duo administrator, this may trust your browser across all your organization's Duo-protected applications, or there may be unique policies applied to applications that require you to perform Duo authentication again regardless of whether you trusted your browser. Ask your Duo administrator or help desk for more information.

Do not trust the browser when using a public or shared computer! This could leave your Duo session available to other users. Trust the browser only when you access applications from your own computer.

Clicking on No, do not trust browser will not create a trust session. You won't be asked to trust that browser again for 14 days.

First-Time Browser Trust Option in Universal Prompt

When your trusted browser session expires, you will need to use two-factor authentication again. Duo Push, phone call, text message, and passcode authentication methods will show the option to trust the browser already enabled for you. Leaving the option enabled creates a new trusted browser session.

If you don't want to trust that browser again, uncheck the Trust browser box before you approve the Duo Push or phone call request or enter a passcode.

Browser Trust Option for Duo Push

If you log in automatically with a WebAuthn method like Touch ID or a security key you won't see the Trust browser option on the page. You will need to cancel the Duo authentication in progress if you don't want to trust that browser again. This sends you back to the page where you can uncheck the Trust browser box and then try to log in again.

Browser Trust Option for Touch ID

Duo Universal Prompt Login Options

Availability of the following Duo login options in the Universal Prompt depends on your browser or browser version, or on the policies applied by your organization's Duo administrator.

Duo Push

Pushes a login request to your iOS or Android phone or tablet if you have Duo Mobile installed and activated. Review the request on your phone or tablet and tap Approve to log in to the application.

Duo Push in Universal Prompt

Verified Duo Push

Your organization may wish for you to enter a verification code shown within the Duo Universal Prompt into Duo Mobile when you approve a Duo Push request. This protects you from approving login requests not made by you and helps keep your accounts and information safe.

If your organization requires Duo Push verification, Duo Universal Prompt displays a numeric code three to six digits in length on-screen when you choose to use Duo Push to log in to that application.

Duo Push Verification Code in Duo Universal Prompt

Enter the code shown on your screen into the Duo Push request received on your Android or iOS device and tap Verify to approve the login request.

Security Key

A security key plugs into your USB port and when tapped or pressed it sends a signed response back to Duo to verify your login. Duo uses the WebAuthn authentication standard to interact with your security keys. You may also see WebAuthn referred to as "FIDO2".

In order to use a security key with Duo, make sure you have the following:

  • A supported browser (check the table above to verify your browser supports security keys).
  • An available USB port.
  • A WebAuthn/FIDO2 security key. WebAuthn/FIDO2 security keys from Yubico or Feitian are good options. U2F-only security keys (like the YubiKey NEO-n) are not supported.

Insert your security key if not already plugged in, and then tap or press your security key when prompted to log in to the application. Some types of keys flash as a prompt for you to authenticate. Your browser may also pop up a prompt instructing you to tap your security key.

Security Key in Universal Prompt

You need to interact with the prompt to use a security key from Safari browser on macOS or any browser on iOS. Click or tap the Use security key button and then tap or press your security key.

Security Key in Universal Prompt in Safari

If you need to cancel a security key authentication in progress, click or tap the cancel option shown by your browser, outside of the Duo Universal Prompt.

Fingerprint Sensor

Fingerprint authentication lets you use your device's fingerprint sensor for Duo login verification. Duo supports fingerprint verification with Touch ID on Apple MacBooks and Magic Keyboards.

Touch ID

In order to use Touch ID with Duo, make sure you have the following:

Touch your Mac's Touch ID sensor when prompted to log in to the application. If you aren't able to access the Touch ID sensor (such as when you close and dock your laptop), then you can choose to type in your Mac login password instead to verify.

Touch ID in Universal Prompt

If you need to cancel a Touch ID authentication in progress, click or tap the cancel option shown by your browser, outside of the Duo Universal Prompt.

Duo Mobile Passcode

Log in using a passcode generated by the Duo Mobile app installed and activated on your Android or iOS device. Open Duo Mobile and locate your organization's account in the accounts list, and tap it to generate a six-digit passcode. Enter that passcode into the space provided and click or tap Verify to log in to the application.

Duo Mobile Passcode in Universal Prompt

YubiKey Passcode

Log in using a passcode generated by a YubiKey. Connect or plug in your YubiKey and press it to generate and submit a passcode to log in to the application.

Your administrator must have configured the YubiKey for passcode use in Duo. This is a separate function from using a YubiKey as a security key.

YubiKey Passcode in Universal Prompt

Hardware Token Passcode

Log in using a passcode generated by a hardware token provided to you by your organization. Enter that passcode into the space provided and click or tap Verify to log in to the application.

Hardware Token Passcode in Universal Prompt

Text Message Passcode

Log in using a passcode received from Duo in a text message. When you land on the text message page, it will show that a text message was just sent to you with a passcode. When you receive the message, enter that passcode into the space provided and click or tap Verify to log in to the application.

If you did not receive the text message from Duo, use the Send a new passcode link to try sending it again.

Passcodes received in a text message expire when used.

Text Message Passcode in Universal Prompt

Phone Call

Authenticate via phone callback. Answer the phone call from Duo and follow the voice instructions to log in to the application.

Phone Call in Universal Prompt

Bypass Code

Log in using a code provided by your organization's Duo administrator or help desk. Enter that code into the space provided and click or tap Verify to log in to the application.

Bypass Code in Universal Prompt

First-time Enrollment in Duo

Enrollment is the process that registers you as a user in Duo with a device capable of performing two-factor authentication. Duo prompts you to enroll the first time you log into a protected VPN or web application when using a browser or client application that shows the interactive Duo web-based prompt. Follow the on-screen prompts to set up your Duo authentication device.

 

Instead of enrolling when you log in to an application, you might receive an email from your organization's Duo administrator with an enrollment link instead. For now, an emailed enrollment link takes you to enrollment in the traditional Duo prompt.

Step One: Introduction

Logging into a Duo-protected application enabled for self-enrollment takes you to the device management page to enroll. Click Next to learn why protecting your identity with two-step verification is important and begin the setup process.

Begin Universal Enrollment

Step Two: Choose Your Verification Method

Click the device type in the list that matches your desired authentication experience:

  • Touch ID: Use the fingerprint sensor on Apple MacBooks and Magic Keyboards. Requires Chrome 70 or later.
  • Duo Mobile: Approve Duo Push verification requests on iOS or Android devices, or generate a one-time passcode from the Duo Mobile app.
  • Security key: Tap a WebAuthn/FIDO2 security key. Requires Chrome, Safari, Firefox, or Edge.
  • Phone number: Receive a one-time passcode in an SMS message or approve a login attempt with a phone call from Duo.

Only your organization's Duo administrator or help desk can add hardware tokens and Yubikey OTP tokens for you. These verification options do not show up in the list of available options. Neither do any methods that your organization blocks from use; if your Duo administrator applied a policy that doesn't allow authentication with text messages or phone calls, the "Phone number" option will be missing when you enroll.

Duo recommends the most secure option of the methods available to you, so it's a good idea to set up that method first if you have a device that supports it.

Select Identity Verification method

Step Three: Add Your Chosen Method

Once you choose how to verify your identity, you will next complete the setup steps for that method.

Touch ID

In order to use Touch ID with Duo, make sure you have the following:

  1. Read the Touch ID information and click Continue.
    Begin Touch ID Enrollment
  2. Chrome prompts you to verify your identity on duosecurity.com.
    Chrome Touch ID Prompt
  3. Place your finger on the Touch ID button in the Touch Bar to complete Touch ID enrollment.
    Touch ID on MacBook Pro
  4. When you receive confirmation that you added Touch ID as a verification method click Continue.
    Touch ID Added

You can now log in to Duo-protected applications that show the Duo prompt in a web browser using your fingerprint sensor.

If you have more than one MacBook with which you'd like to approve Duo login requests using Touch ID, you'll need to add each of them separately as a new Touch ID device in Duo. To do this, your organization must have enabled self-service device management.

Duo Mobile

Duo Mobile is an app that runs on iOS and Android phones and tablets. It's fast and easy to use, and doesn't require cell services. Duo pushes login requests to Duo Mobile when you have mobile data or wifi connectivity to the internet. When you have no data service, you can generate passcodes with Duo Mobile for logging in to applications.

The current version of Duo Mobile supports iOS 13.0 or greater and Android 8 or greater.

  1. Select your country from the drop-down list and type your mobile phone number, and then click Add phone number.
    Enter Phone Number for Duo Mobile
    If you're going to use Duo Mobile on a tablet (like an iPad) with no phone service, don't enter a phone number and click I have a tablet instead.
  2. If you entered a phone number, double-check that you entered it correctly and click Yes, it's correct to continue (or No, change it to go back and enter the number again).
    Confirm Phone Number for Duo Mobile
    If the phone number you entered already exists in Duo as the authentication device for another user then you'll need to enter a code sent to that number by phone call or text message to confirm that you own it. Choose how you want to receive the code and enter it to complete verification and continue.
    Verify Ownership of Shared Phone
  3. Download and install Duo Mobile on your phone or tablet from the Google Play Store or Apple App Store. Once you have Duo Mobile installed click Next.
    Install Duo Mobile
  4. Open the Duo Mobile app on your phone or tablet and add this account by scanning the QR code shown on-screen.
    Scan QR Code in Duo Mobile
    If you aren't able to scan the QR code, tap Or email activation code and then enter your email address to send the activation link to yourself. Follow the instructions in the email to activate the new account in Duo Mobile.
  5. When you receive confirmation that Duo Mobile was added click Continue.
    Duo Mobile Added Success

You can now log in to Duo-protected applications with Duo Push or with a Duo Mobile passcode.

Security Key

A security key is an external device that when tapped or when the button is pressed sends a signed response back to Duo to validate your login. Duo uses the WebAuthn authentication standard to interact with your security keys. You may also see WebAuthn referred to as "FIDO2".

To use a security key with Duo, make sure you have the following:

  1. Read the security key information and click Continue.
    Begin Security Key Enrollment
  2. Your browser prompts you to tap your security key to use it with Duo (Chrome example shown).
    Chrome Security Key Prompt
  3. When you receive confirmation that you added your security key as a verification method click Continue.
    Security Key Enroll Success

You can now log in to Duo-protected applications that show the Duo prompt in a web browser using your security key.

Phone for Call or Text

This option is suitable for mobile phones that can't run Duo Mobile, or office phones and landlines.

  1. Select your country from the drop-down list and type your phone number, and then click Add phone number.
    Enter Phone Number
    If this phone number is a landline and can't receive text messages, select the This is a landline phone option before continuing.
  2. If you opted to add a landline, you can enter the landline's extension on the next screen and click Add extension or click Skip this step if you do not need to enter an extension for your landline.
    Enter Landline Extension
  3. Verify that the phone number shown (and landline extension, if you entered one) is accurate and click Yes, it's correct to continue (or No, change it to go back and enter the number again).
    Confirm Phone Number
    If the phone number you entered already exists in Duo as the authentication device for another user then you'll need to enter a code sent to that number by phone call or text message to confirm that you own it. Choose how you want to receive the code and enter it to complete verification and continue.
    Verify Ownership of Shared Phone
  4. When you receive confirmation of adding the new mobile phone number for texts or calls, click Continue to login to log in to the application with a passcode received via text message or a phone call from Duo.
  5. When you receive confirmation of adding the new phone number for text messaging, click Continue to log in to the application with a passcode received via text message or a phone call from Duo.
    Duo Phone Number Enroll Success
    If you added a landline phone number, click Continue to log in to the application with a phone call from Duo.
    Duo Phone Number Enroll Success

Step Four: Add a Backup Method

It's a good idea to add a second verification method that you can use as a backup if the first method you added isn't available to you at some point, like if you lose or forget your phone and need to log in with Duo, or if you want to access an application from a different MacBook than the one you used to set up Touch ID in Duo.

When you click Continue after registering your first verification method, Duo prompts you to add another one.

Add Another Duo Verification Method

Choose any of the available methods and proceed through the steps for adding it. If you don't want to add another method at this time, click Skip for now.

After you add a second login verification method, or if you chose to skip it, you'll arrive at the end of the Duo setup process. Click Log in with Duo to log in to the application using the Duo method you just added.

Universal Prompt Device Setup Complete

Add or Manage Devices After Enrollment

If enabled by your administrator, you can add additional verification methods, manage your existing devices, or reactivate Duo Mobile for Duo Push from the Duo Universal Prompt.

When logging in to an application with the Universal Prompt, click the Other options link on the authentication page to view your list of available methods. If your organization enabled self-service device management then you'll see a Manage devices choice at the end of the list. Click that to enter the device management portal.

Manage Devices Option

To access the device management you'll first need to verify your identity, just as you do when logging in to a service or application protected by Duo. Click on an available option to verify your identity. If you're visiting device management to delete or update a device you don't have anymore (such as a phone you lost or replaced), be sure to pick a verification option that you still have with you. If you don't have any devices you can use to authenticate to device management, contact your organization's Duo administrator or help desk.

Verification for Device Management

After approving a Duo authentication request, you can see all your registered devices in the device management portal.

Device Management Portal

Add Another Device

To add a new method of verifying your identity in Duo, click Add a device and select one of the verification options.

Add a New Device

Duo takes you through the steps of adding the new device, just like first-time enrollment. The difference between adding a new device from device management and during first-time enrollment is that when you have finished enrolling the new device you return to the device management page to view all your registered devices, including the new one, instead of continuing to log into an application.

Newly Added Device in Device Management Portal

Rename or Remove a Device

Click Edit and then Rename to give a device a new name to help you identify it. This new name shows up in the verification method list and on the authentication page when you log in with Duo to make it easier for you to identify which device you're using.

Rename a Device

To delete a device, click Edit and then Remove. You'll be able to confirm that you want to remove this device before deleting it. Once deleted, a verification device can't be restored, but if you still have the device available you can add it again. You can't delete your only identity verification device.

Confirm Device Deletion

Reactivate Duo Mobile for an Existing Device

If you have replaced the phone you activated for Duo Push, or if Duo Push stops working, you can get Duo Push working again without contacting your help desk. If your organization has self-service enabled then if a Duo Push authentication times out you'll see the I got a new phone link shown in the Universal Prompt. Click or tap that link to begin the reactivation process.

Begin Duo Push Reactivation

If you still use the same phone number as you did when you first set up the phone to use Duo Push, then click or tap the Text me a link button. When the text message with the link arrives on your phone, tap it to automatically reactivate Duo Mobile on your phone to use Duo Push again. If you don't have Duo Mobile installed be sure to install it before you try to open the activation link in the text message.

If you are using a different phone number than the one you first set up to use Duo Push then tap or click the I got a new number link.

Send Text Reactivation Link to your Phone

If you have a new phone number then you can't send yourself a text message with a Duo Push reactivation link. Click or tap Continue to proceed to the Duo self-service device management portal, where you can complete the steps to add your new phone number and set up Duo Push on the new phone so you can use it to log in with Duo.

You'll still need to verify your identity with a different Duo verification method, so if you don't have one available you will need to contact your organization's help desk or Duo administrator for assistance.

Continue to Device Management

You can also reactivate Duo Mobile for use with Duo Push on a new phone from the device portal if it uses the same phone number as when you set up the original phone in Duo.

  1. Locate the existing phone in the device management portal and click the I have a new phone link.
  2. Click Get started if your phone uses the same phone number as before. If you want to add a new phone with a different number, cancel reactivation and follow the process for adding a new device instead.
    Start Duo Mobile Reactivation
  3. Verify that you have access to the phone by clicking Send me a passcode or Or call my phone to receive a passcode from Duo.
    Confirm Phone Ownership
  4. Enter the verification passcode you received in a text message or phone call and click Verify .
    Verify Phone Ownership with a Passcode
  5. Install the Duo Mobile app on your new phone if you hadn't already done so, open it and tap Add to scan the QR code shown on-screen, continuing the same steps you completed when you originally set up Duo Mobile for Duo Push on your phone.
    Scan QR Code in Duo Mobile
  6. Click Continue when you've finished reactivating Duo Mobile on your new phone to return to the device management portal.

If your existing phone stops receiving Duo Push requests your Duo administrator or help desk might suggest that you try reactivating Duo Mobile on your phone with this process as a troubleshooting step.

Software Updates

The Universal Prompt includes software update checks.

Duo Out-of-Date Software Warning from Duo Universal Prompt

Refer to the Duo Software Update page to learn about software notifications shown by Duo and how to update your software.

Duo Device Health

Duo Device Health is an application installed on your desktop or laptop that performs health checks whenever you access Duo protected applications through the Universal Prompt, ensuring that your computer meets the organization’s security requirements. This helps protect corporate data and make sure your computer is less vulnerable to compromise.

Duo Device Health Check from Duo Universal Prompt

Refer to the Duo Device Health page to learn how to install Duo Device Health and address issues discovered by the app.

Personal Devices

Your organization may choose to block access to applications from devices not managed by the organization. The Universal Prompt will include device management checks in a future release. Until then, you will fall back to the traditional Duo Prompt for the managed device check and any notifications.

Refer to the traditional Duo Prompt page to learn about personal devices and Duo.

How to Get Help

If you can't authenticate or aren't sure what to do, contact your organization's Duo administrator or help desk for guidance. If you click Need help? at the bottom-left of the Universal Prompt your administrator may have customized the help text with further instructions or contact information. Please do not contact Duo Support directly, as Duo Support can only assist named Duo account administrators.