D247: Duo Release Notes for August 19, 2022

Hello everyone! Here are the release notes for the most recent updates we’ve made to Duo.

You can subscribe to notifications for new release notes by following the process described here. If you have any questions about these changes, please comment below.

What’s in this release?

New features, enhancements, and other improvements

New and updated applications


New features, enhancements, and other improvements

Available in public preview: Duo Push authentication with Duo Passwordless

  • Duo Passwordless users can now use Duo Push as a passwordless authentication method as part of the next phase of our public preview.
  • Any MFA, Access, and Beyond customer using Duo Single Sign-On can opt into the Duo Passwordless with Duo Push public preview.
  • Refer to the setup documentation for more details.

Available in public preview: Verified Duo Push

  • Verified Duo Push enhances Duo Push by making it easy for end-users to identify their own push requests or any fraudulent push requests, protecting against push harassment or push fatigue attacks.
  • When an end-user logs into an application protected by Verified Duo Push, they will see a six-digit verification code in the Duo Universal Prompt.

vdpillustrated

  • Duo Mobile prompts the user for the verification code and displays contextual information about the authentication request to help end-users quickly identify any problems.
  • Verified Duo Push can be configured using the Duo authentication methods policy. Refer to our setup documentation for instructions.
  • Verified Duo Push is supported by the Universal Prompt. Verified Push is not available in the traditional Duo Prompt or for non-browser applications such as Duo Authentication for Windows Logon.

Duo Universal Prompt now reminds end-users to open Duo Mobile to respond to push notifications

  • If Duo detects that a Duo Push sent to a user’s phone has not arrived after 7 seconds of beginning the authentication request, the Universal Prompt will show an “Open Duo Mobile” message to remind the user to respond to the push.

Duo Admin Panel now indicates Early Access Features

  • New features, settings, and applications in public preview and available ahead of general availability may be noted by an Early Access badge or referred to as Early Access features in communication.

earlyaccessbadge

Duo Admin Panel Administrators list now provides a status filter

  • You can now quickly filter administrators by Status on the administrators list page in the Admin Panel.

Help Desk renamed Admin Role Permissions in Global Settings

  • Help desk is now a subsection of Admin Role Permissions

New and updated applications

Duo Network Gateway Version 2.1.0

  • Updated dependencies to address CVE-2022-21712
  • Upgraded bundled Redis version to 6.2.6.
  • Updated the Redis image to Debian 11 LTS.
  • Cookies now use HMAC_SHA256 instead of HMAC_SHA1 for signing and verification.
  • Added support for the PROXY protocol for customers with high-availability deployments featuring load balancers that do not terminate TLS and add an X-Forwarded-For header.
  • Supports TLS v1.3 for incoming connections.
  • Performance enhancements to requests per second (RPS) after users have logged in to DNG.
  • A password reset is now required on initial Duo Network Gateway setup. DNG administrators performing initial configuration must have shell access to the server hosting the Docker containers to complete this step.
  • The DNG admin panel now lists sessions for all users connected through the DNG and offers the ability to terminate a user’s sessions.

DuoConnect Version 2.0.3 for macOS

  • Implements stricter certificate requirements. SSH & RDP connections to SSH & App Relays that provide their own SSL certificate will fail if the uploaded certificate for the DNG or the Relay does not contain a DNS subject alternate name value matching the common name.
  • DuoConnect now implements better support for RDP connections from endpoints shared by multiple users (i.e. laptops/machines).
  • Added two new command line installation switches: -getReg to get your current DNG registration and -clearReg to clear your current DNG registration.
  • Refined DuoConnect log output so that it provides more meaningful information to aid in support escalations.
  • Updated Go version used to compile DuoConnect from 1.16.15 to 1.18.1.

DuoConnect Version 2.0.3 for Windows

  • Implements stricter certificate requirements. SSH & RDP connections to SSH & App Relays that provide their own SSL certificate will fail if the uploaded certificate for the DNG or the Relay does not contain a DNS subject alternate name value matching the common name.
  • DuoConnect now implements better support for RDP connections from endpoints shared by multiple users (i.e. laptops/machines).
  • Added two new command line installation switches: -getReg to get your current DNG registration and -clearReg to clear your current DNG registration.
  • Corrected an issue with uninstalling DuoConnect in uncommon client scenarios.
  • Refined DuoConnect log output so that it provides more meaningful information to aid in support escalations.
  • Updated Go version used to compile DuoConnect from 1.16.15 to 1.18.1.

DuoConnect Version 2.0.3 for Linux

  • Implements stricter certificate requirements. SSH & RDP connections to SSH & App Relays that provide their own SSL certificate will fail if the uploaded certificate for the DNG or the Relay does not contain a DNS subject alternate name value matching the common name.
  • Refined DuoConnect log output so that it provides more meaningful information to aid in support escalations.
  • Updated Go version used to compile DuoConnect from 1.16.15 to 1.18.1.

Duo Device Health Application Public Beta Version 2.28.1 for Windows

  • Update to improve speed of password check for certain users.
  • Added ability to disable password check using a registry key.

Duo Mobile for Android version 4.22.0 released

  • Fixed a bug to display a Request Login ID for authentications that display custom Duo Push information.

Duo Mobile for iOS version 4.22.0 released

  • Duo Mobile Account Search gradual feature rollout:
    • End-users managing three or more accounts in Duo Mobile will see a search field to filter their accounts list.
    • Duo will make this feature available to all users gradually. Do not contact Duo Support or your organization’s Duo administrator to request the search bar as they cannot enable it for you.

I forgot to say …

The new Duo Network Gateway and DuoConnect versions are the same release announced in Release Notes on August 17. We announced these the same day of the release because the Duo Network Gateway version 2.1.0 addresses the security vulnerability CVE-2022-21712.

The new DuoConnect versions are optional and unrelated to the vulnerability addressed by the Duo Network Gateway update.

1 Like