DUO MFA protecting OWA and ECP

Hello,

I’m a new admin/user and testing out DUO. The first application we’ve chosen to protect is Microsoft OWA. I’ve installed everything and access to OWA is protected. I get a DUO prompt when trying to login as expected. When logging into the ECP I get a DUO prompt and am able to login as expected. If I logout of the ECP and log in again with the same user I do not get a DUO 2FA prompt; the login continues as it did previously without DUO. If I log out of the ECP and then log into that users OWA account I again do not receive a DUO prompt. When I log out of that admin’s OWA account and try to get into either the OWA or ECP account I then get a DUO 2FA prompt.

It appears that something related to the ECP is caching/remembering the login even if I logout. Has anyone tested or experienced this before?

Thanks
Josh

I hadn’t noticed that, but did a quick test and confirm my environment works the same.

I don’t think this is a bad thing, and is likely cookie based or something. Are there any downsides? Someone accidently logs out without closing the browser and is able to log back in without DUO? I mean, you could confidently say it is them… within a certain timeframe I guess. I wonder if after a certain period of time another login attempt would cause DUO to appear?

I don’t know there is a specific downside other than if someone saves their password in their browser, walks away from their computer and doesn’t lock their computer, and then someone else uses their computer to logon to the ECP. I don’t know how likely this scenario is to happen in a real life situation, but could happen.

I haven’t tested to see if ECP times out after a certain time and then would cause DUO to reappear. I’ll see if I can do that this week and report back.

Thanks
Josh

Just to close the loop on this, ECP does time out after enough time. So this appears to be an expected behavior.

Thanks
Josh