Good Key for Signed Cookies?


I’m integrating duo_universal_java with an existing Kerberos / NTLM style SSO for corporate InterAnet environments where clients are joined to a Windows domain.

Kerberos / NTLM SSO does not prompt the user for a password at all (they are authenticated continuously and transparently all the time) and so there is no login page to trigger 2FA.

To trigger 2FA I was thinking that a cookie would be used to detect if the user has not performed 2FA within some expiry period.

However, I obviously need to cryptographically bind the cookie to the application and preferably the user. From googling about such things it seems that some folks use the Client ID and username to generate the key. However, the Client ID could be exposed in logs or perhaps in browser-space. If an interloper knew the Client ID, they could forge the cookie.

So the question is, what should I use as a good key for signed cookies?

I have seen references to an Application ID that looks like it might be used for this purpose but duo_universal_java nor the dashboard has a reference to this property.

I could just make up a random key but this is an extra installation step that might be unnecessary. I like to make things as easy as possible for users.

Does Duo have guidance on what key to use for signed cookies and maybe a specific method of using the username, timestamp and SHA256 or whatever?