Hello everyone! Here are the release notes for the most recent updates we’ve made to Duo.
You can subscribe to notifications for new release notes by following the process described here. If you have any questions about these changes, please comment below.
New features, enhancements, and other improvements
- This new, easy-to-use biometric functionality utilizes WebAuthn, which helps reduce risks associated with phishing while making it easier for end users.
- End users can easily enroll Touch ID devices using the self-service portal in the Duo Prompt.
- You can control whether Touch ID can be used as a 2FA method with an Authentication Methods Policy. The default setting for new customers allows all of Duo’s authentication methods, but existing customers will need to enable WebAuthn authentication methods in their policy settings.
- Learn more about Touch ID and Duo’s plans for WebAuthn.
- You can now utilize security keys in Mozilla Firefox browser in addition to Google Chrome.
- You can control whether Security Keys can be used as a 2FA method in Firefox with an Authentication Methods Policy. The default setting for new customers allows all of Duo’s authentication methods, but existing customers will need to enable WebAuthn authentication methods in their policy settings.
- Note that if you were using a security key with Chrome before this update, you will need to use it to authenticate once more in Chrome before you can use it with Firefox. Additionally, you will have to manually select your security key from the device drop-down list in the Duo Prompt.
- When the integration is changed or removed for Duo Restore for Duo Mobile, the integration and URL are now logged in the Administrator Actions log.
New and updated applications
- The Duo Mobile app now implements Federal Information Processing Standard (FIPS) 140-2 compliant encryption for Duo Push notifications and for generating HOTP passcodes for Duo-protected accounts.
- Because of this update, the FIPS configuration setting in the Duo Admin Panel is no longer available. If you had enabled the “Require FIPS 140-2 encryption on Android passcodes” option before this change, then the setting will remain in effect for passcodes generated on Duo Mobile for Android versions older than 3.25.0. It had no effect on push notifications.
- Miscellaneous bug fixes and improvements for increased stability.
- Note that push notifications and HOTP passcodes in Duo Mobile for iOS are already FIPS 140-2 compliant.
- When a Duo Administrator’s password is changed, all active sessions will be expired forcing them to log in to the Duo Admin Panel again.
- Fixed a bug that caused Admin API single-user syncs to Azure Active Directory to fail when username normalization was enabled.