We are qualifying a solution that lets individual users choose a device, but you should still be planning your migration off traditional Duo Prompt and the iframe ahead of the end-of-support milestone this March even if you aren't a fan of automatic device selection in Duo Universal Prompt. Support extensions won't be granted based on this.

Thanks. We already updated to Universal Prompt. Works fine except for the missing option to select the default device. Therefore we switched back to traditional prompt.

If this feature is not available by the end of March we will face many unhappy users and increased support effort to manually switch default devices in the admin portal - where this is still possible. I really hope you get this done within the next month. If you need any beta testers, feel free to contact me.

The solution coming not the same as the traditional Duo Prompt, where the individual user can select a preferred device for automatic use. It is going to be a per-user setting that turns off automatic selection, so when the user encounters the prompt no factor is automatically selected and the user picks the method they want to use. This feature enters early access in the next release, which rolls out to production over the next 7 days.

If you really want a direct analogue to user-selected default device, please contact Duo Support to submit that feature request.

You are saying "a per-user setting that turns off automatic selection" is coming soon. If I understand correctly, if you turn off the auto selection and you access let's say a Duo protected website, you will be asked "which device to use for MFA?" and then you authenticate using that device. Correct?

The big question here, when the user connects to a remote desktop and authenticates at the RD Gateway, which MFA device will be selected? Connections via RD Gateway can't show a pop-up asking for "which device to use for MFA?". What's the fallback solution here? (btw. @AnthonyL3, who started the discussion also referred to this issue with applications that cannot show a prompt at all.)

If it would be the "last used device" that could be a solution. In this case, if the user wants to switch the device for RD Gateway authentication, he/she would only need access a website with Universal Prompt first, select the desired device, authenticate and close the website. Afterwards connect to RD Gateway and get the prompt at the last used device.

For applications that do not show an interactive Duo prompt in a browser but do show some Duo UI at the client, such as Duo Unix and Duo for Windows and Mac logon, the default device used would be the first phone device listed for the user in the Duo Admin Panel, and the UI will offer other compatible authentication method options as alternate selections. For applications that do not show any Duo authentication UI at all, like Duo for RD Gateway or RADIUS/LDAP auto configurations using Duo Authentication proxy, the default device used is the first phone device attached to the user in the Admin Panel that is capable of Duo Push or phone call methods, with no other method possible. These applications are based on Duo's Auth API, not Duo's Web SDK.

This device preference for non-browser API apps hasn't ever been manageable by the end user and that remains unchanged.

The last-used device behavior is exclusive to Duo Universal Prompt and is determined via a browser cookie, so it's impossible to have that information apply to non-browser auths. The per-user setting that turns off automatic selection is only effective for Universal Prompt as well. Learn more about it here: https://duo.com/docs/administration-users#change-user-authentication-experience (noting that the option is rolling out in the D285 release, which your specific Duo deployment might not receive until the end of next week).