D256: Duo Release Notes for Dec 21, 2022

Happy Solstice, everyone! Here are the release notes for our most recent updates to Duo.

Public release notes are published on the Customer Community every other Friday, the day after the D-release is completely rolled out. We’ve published release notes for this sprint a couple of days early. You can subscribe to notifications for new release notes by following the process described here. If you have any questions about these changes, please comment below.

What’s in this release?

New features, enhancements, and other improvements

New and updated applications

New features, enhancements, and other improvements

Now in General Availability: Duo policy defaults

  • Duo has begun to roll out new policy defaults designed to give our customers a security posture that is resilient against trending attack patterns.
  • Please note that the new policy defaults feature will not modify your existing policies.
  • Existing Duo customers see the new policy defaults in only two cases:
  • The existing policy configuration will not be affected by new policy defaults when administrators edit existing policies without enabling a new policy section, apply an existing custom policy to a group or an application, reorder policies, update policy assignments, or unassign or delete policies.
  • The table below summarizes the affected policy section, Duo edition availability, and default policy configuration before and after release D256.
  • We recommend that you evaluate whether you prefer the old or new defaults and plan accordingly when creating new policies. As stated above, reverting the Global Policy to the default reverts your Global Policy to the new Duo policy defaults. If you prefer the old global defaults, or your own combination of defaults, edit the Global Policy to configure each policy section according to your preferences.
  • Please note that the Remember Me functionality in the traditional Duo Prompt will not work if you have Verified Duo Push enabled in your Duo Policy settings. In traditional Duo Prompt applications, end-users must authenticate every time, even when they select Remember Me. There are plans to address this in a future release. This does not apply to integrations that use the Universal Prompt or to Risk-Based Factor Selection.

Duo Passwordless now supports remembered devices policy

  • Passwordless logins may be subject to the same remembered devices policy as 2FA-only application logins. Users can opt to trust the browser when logging in to the application.

New OAuth 2.0 Client Credentials metadata fields added to Duo Single Sign-On Public Preview

Duo Trust Monitor UI updates

  • Miscellaneous visual bug fixes.
  • Unrealistic Geovelocity was re-labeled Unrealistic Travel:

RN D256 02

Duo Risk-Based Factor Selection now evaluates for Unrealistic Geovelocity

  • When Risk-Based Factor Selection detects an unrealistic distance between the location of the current authentication and the previous successful authentication it will step up to a more secure authentication factor.

Support for three new languages now available for improved end-user localization

Duo now alerts Owners about expiring SAML certificates for Administrator Single Sign-On

  • When using SAML 2.0 to support Duo administrator SSO login to the Duo Admin Panel, certificates past or near expiration will trigger an email alert to Owner administrators.
  • The email alert will be sent 90, 60, 30, 7, and 1 day(s) before expiration, and every 30 days after expiration.

DNSSEC is now configured for Federal edition customer deployments

  • DNSSEC (Domain Name System Security Extensions) strengthens authentication by cryptographically signing DNS data, allowing DNS resolution to verify that data received matches the content and origin of the data sent. Most industry security standards encourage or require the use of DNSSEC.
  • By implementing DNSSEC, Duo will strengthen protection from attacker-in-the-middle and cache-poisoning attacks that can result in compromised access to protected applications.
  • DNSSEC is a requirement of FedRAMP Authorization.

New and updated applications

GitHub Enterprise for Duo Single Sign-On

Duo Mobile for Android version 4.31.0 released

  • Miscellaneous bug fixes and behind-the-scenes improvements.

Duo Mobile for iOS version 4.31.0

  • Pasting the Verified Duo Push code now enables the Submit button in the Duo Mobile 2FA prompt.

Duo Access Gateway 1.5.13 released for Windows and Linux

  • Updated PHP to 8.1.11.
  • Bug fixes and security enhancements.

Reminder: Duo Access Gateway (DAG) will reach end of life in October 2023. Customers may not create new DAG applications as of May 19, 2022. With the general availability of Duo Single Sign-On, which includes support for the Duo Universal Prompt, we may provide security updates for DAG but do not plan to release any additional feature enhancements to DAG, nor will we update DAG for Duo commercial plan customers to use the Universal Prompt.

Please see the Guide to Duo Access Gateway end of life for more details.

1 Like