Available Now! Passwordless Authentication Is Just a Tap Away
We are excited to announce that Duo Passwordless is now generally available across all Duo Editions. Read our announcement to get the full scoop.
In this post we’ll go over how we are enabling organizations to use Duo Mobile authenticator app for passwordless authentication using a more secure version of Duo Push.
Why we’re excited about passwordless authentication
The problem we are solving for customers is to help them to get started on their journey towards a passwordless future. We consistently hear from customers that the overhead and costs associated with getting their IT infrastructure and users ready for FIDO2 authenticators is a barrier for passwordless adoption. We also hear that administrators want to provide end-users with a back-up authentication option in case they cannot use their primary passwordless authenticator.
Duo Mobile solves this problem by providing organizations with a cost-effective solution to start their passwordless journey without compromising on security. The user enrollment process is as seamless as it can be. If the user is already using Duo Mobile for MFA, there is no need to enroll for passwordless authentication separately. When the passwordless authentication policy is enabled, the user is presented with a choice to start using Duo Mobile without passwords. No additional steps are required.
How Passwordless Authentication with Duo Mobile works
Duo Mobile for passwordless authentication is inherently multi-factor authentication (MFA). Duo Push notification for passwordless logins requires a screen unlock (biometric or PIN) of the mobile device to approve the request. In this flow, the user proves “something you are” (biometric) and “something you have” (a registered device).
Further, we have built additional security into the login workflow to bind the browser session and the device being used to access the application. This mitigates phishing attacks that leverage tactics such as MFA prompt bombing. Duo achieves this in the following ways:
Known device check: Once the passwordless authentication policy is enabled, the user first completes a successful multi-factor authentication from an access device, as a one-time login flow. This authorizes that specific access device to send a push notification for subsequent logins, ensuring that only known devices can send a passwordless notification.
Duo Push for Passwordless: On the subsequent login, the user is automatically put into a passwordless login workflow and is presented with a Duo Verified Push, which also requires biometric authentication on the mobile device. This strengthens the device binding with user authentication.
Trust this browser: When the authentication is complete, the user is presented with a “Trust this browser?” option. If the user chooses not to trust the browser, they will continue to receive Duo Verified Push on subsequent authentications. If the user chooses to trust the browser, a stronger binding with the access device is established and on subsequent logins, the user will then be presented with a regular push along with screen unlock. This reduces the friction for users as we have sufficiently established trust in the login flow.
Flavors of Duo Push
Duo Push is a popular method of authentication used by customers because of its ease of use. We have enhanced Duo Push to make it more secure. One evolution of our push is the Duo Verified Push which includes a number matching component. Now, Duo Push for passwordless introduces a 3rd flavor of Duo Push, which incorporates a biometric screen unlock in order to approve the request.
Duo Push
Requires users to tap “approve" on a registered device
Low user friction
Weak device binding
Susceptible to MFA prompt bombing or MFA fatigue attacks
We recommend using in conjunction with the Trusted Endpoints policy to create strong device binding
Duo Verified Push
Includes number matching
Increase user friction deliberately
More secure, creates device binding
Mitigates MFA prompt bombing or MFA fatigue attacks
Duo Push for Passwordless
Typically, Duo Verified Push with biometric authentication. Changes to Duo Push with biometric authentication when users trust the browser
More secure, creates device binding
Mitigates MFA prompt bombing or MFA fatigue attacks
Duo Mobile as passwordless authenticator is available across all Duo Editions, including Duo MFA edition. Many of our customers have already begun their passwordless journey. If you are looking to get started as well, sign-up for a free trial and reach out to our amazing representatives.
To learn more, check out the updated eBook – Passwordless: The Future of Authentication, which outlines a 5-step path to getting started with passwordless. And watch the passwordless product demo in this on-demand webinar.