Duo 2fa screen is blank in Windows browsers

I’m not sure where to ask this and my university’s support people aren’t responding. My university uses Duo to log in to secure resources. In a web broswer, I first enter my university login and password and then am taken to the Duo screen where I press a button to get a passcode to enter. Until about a week ago, this was working fine. Now the Duo screen is blank. This happens in Chrome, Edge and Opera on my laptop computer only. Everything works fine on my desktop computer.

I’ve disabled Malware Bytes and Windows Defender and firewall. I’ve rolled back the lastest Windows updates. I’ve enabled redirects/popups in Chrome just in case. I’ve even upgraded to Windows 11 and it’s made no difference. Anyone have any idea how to correct this? I also notice that none of the Duo Knowledge Base articles on duo.com are accessible to me. Just three moving dots appear and no article.

In Chrome or Edge try opening up the Developer Tools to watch the console tab output while you try to log in. Do you see any console errors logged when the Duo Prompt should be shown (but isn’t)?

The page stalls and remains blank and the Network tab in Chrome’s Developer Tools shows several Duo scripts have stalled. After a minute or two, it times out and an error shows up in the Console tab: “Refused to load the image ‘https://duo.com/’ because it violates the following Content Security Policy directive: “img-src ‘self’”.” I’ve tried to upload a screen capture.

<< EDIT: Removed image as it revealed customer information >>

In the “Issues” area of Chrome’s Developer Tools, it states: “Some resources are blocked because their origin is not listed in your site’s Content Security Policy (CSP). Your site’s CSP is allowlist-based, so resources must be listed in the allowlist in order to be accessed.”

Further down it specifies a duosecurity.com URL as blocked. It goes on to explain the issue and recommends some fixes, including: " * (Recommended) If you’re using an allowlist for 'script-src', consider switching from an allowlist CSP to a strict CSP, because strict CSPs are more robust against XSS . See how to set a strict CSP ."

Refused to load the image ‘https://duo.com/’ because it violates the following Content Security Policy directive: “img-src ‘self’”.

This is OK to ignore. The concern is that the page that hosts the Duo Prompt (at the duosecurity.com URL) is blocked.

Do you have an extension like NoScript, Privacy Badger, or Ghostery installed?

Do you have any other firewall/endpoint protection software installed other than what came with Windows and Malware Bytes?

Is JavaScript enabled, or if you have custom site settings for JavaScript are you permitting the Duo sites (for example, you can check this in Chrome at chrome://settings/content > Javascript).

Can you try an incognito or in-private browser window with all your installed browser extensions disabled to see if the behavior persists?

I’ve got NoScript in Chrome only, as well as Malware Bytes but they’re both off, as is ABP ad blocker. I wonder if I should uninstall them completely. No other firewalls or antivirus software other than Windows. Javascript is enabled in Chrome and Duo.com is a permitted site. Since it happens in all browsers, I thought it has something to do with a common Windows issue. Something that must have changed in an update a week ago perhaps. It persists with an upgrade to Windows 11.

Curiously, it has started to work as of yesterday but is inconsistent and will often fail. Sometimes it works if I refresh the page. I have noticed that some other web sites can’t load either. e.g. a popular hardware store chain. If it does load, it’s really really slow. Everything’s fine on my desktop computer though. The very last thing I did was to update Windows apps via the Microsoft store, but I can’t see why that would make a difference.

Hmm… I’m on a mac so I’m trying to remember Windows tips…

  • Does this happen wherever you take your laptop (so, network-agnostic; any connection you use is the same)?

  • Might your laptop be using an outbound system-wide HTTP proxy? IIRC you can use netsh on Windows to see system-wide proxy settings.

  • Have you cleared your browsers’ caches (since you have issues in multiple browsers I don’t really think this would make a difference).

  • Are you getting the DNS server assigned automatically by your connected network? Maybe try editing the properties of your network connection to use another DNS server, like 8.8.8.8 (Google’s public DNS server).

  • Flush the DNS resolver cache ipconfig /flushdns.

  • What if you were try a browser you never used before? Like, if you were to install Opera, and not load any extensions or anything, and still have issues, then definitely it is something in your operating system.

Good luck figuring this out! Maybe some of the Windows client admins here in the community have other ideas.

The problem occurs under Opera, Chrome and Edge. My notebook and desktop are on my home router but only the notebook has the problem. For a week or two it was not able to log in at all then a few days ago it became sporadic and for the last day it’s been pretty good. I don’t know what’s been changing.

Thanks for the good suggestions. I’m going to try some of them and see how things are this week. I had thought about changing the DNS server on my notebook but it’s set to my router for both the notebook and desktop so I didn’t think that was the problem.

Since all my work files are on my notebook, it’s been a pain working through my desktop and having to keep transferring files back and forth. It’s a perplexing problem.

Thanks for your advice. My university help desk didn’t even want to make a suggestion to diagnose it.

I had a user with this problem recently. When observing that it worked on a hotspot, a modem reboot fixed it. Of course, this may not be practical in a large office setting, but I wanted to mention it.