Duo Universal Prompt - (lack of) Default Device option


I’ve been attempting to move to the Universal Prompt for years, but there has always been technical blockers. With the announcement that support for the Traditional Prompt is ending in the coming months, I’m growing in concern that gaps I’ve called out haven’t been addressed. In particular, the lack of support for the user to select a Default Device. I’ve opened support cases that have been closed/added to an enhancement, but haven’t heard of a solution being developed.

The Universal Prompt is not available at every integration point (LDAPS/RADIUS authentication proxy) and in real world deployment users are not prompted at all, or using an unexpected method (some of which can’t work). This is a huge gap we found when attempting to roll out the Universal Prompt that produced Incidents which forced us to roll back to the Traditional Prompt. It appears the Universal Prompt work fails to address anything other than Universal Prompt behaviors. For us, this is a must have before the we can move to Universal Prompt because we use other options like LDAP/RADIUS proxies, and CLI integration.

Based on the language in the guide, it’s like the team is fully aware that default devices were removed compared to the Traditional Prompt but don’t understand this is a problem.

(Language as-of 2023-01-26)

“Completing Duo login sets the login option you used as the first choice for this application. Future Universal Prompt logins to that application from the same device and browser will automatically use that same method. If you cancel the authentication in process and choose a different device, then the device you use becomes the first choice for that application.

There is no way to turn off automatic device selection, or to explicitly configure a default authentication device.

“Your organization’s Duo administrator may choose to block some authentication options for certain applications, requiring that you choose a different device. Since Duo remembers the last-used authentication device for each application you access, the Universal Prompt should always display the right default option for that application.

You can see this is fully Universal Prompt centric and does not address or acknowledge any behavior or impacts to other integration/prompt use cases using Duo.

How can we raise this issue to the right level of attention?

Thank you.

To raise your issue please contact Duo Support, or your Duo account exec or Duo Care team, to voice support for a feature request for making the default device used configurable in the Universal Prompt.

ETA: rereading your post it sounds like you may have already been added to the relevant feature request from prior support interactions. Do you have a Duo account exec or Duo Care success manager that could facilitate further discussions for you?

Also note that the Duo traditional prompt and iframe end-of-support date is March 2024, which is not quite “in the coming months”. We will keep enhancing the Universal Prompt and working with partners to update their traditional prompt applications throughout 2023.