I was wondering if I could get some information on the epkey field found under the access device in Duo logs. The only documentation I’ve found states it’s “The endpoint’s unique identifier”. I’m a security consultant, and certain organizations have this field in their logs while others do not. Is this field only present for certain Duo plans? How is the epkey assigned? Sometimes the epkey value remains the same, but sometimes it changes. Was hoping to get some insight into this field, specifically in what conditions it would remain the same versus change among multiple authentications for a user. Thanks.
Is this field only present for certain Duo plans?
The only documentation I’ve found states it’s “The endpoint’s unique identifier”.
There’s no hidden meaning. It’s just a generated string assigned to the endpoint to identify it in Duo, just like
user_id is a string that identifies a user in Duo.
Sometimes the epkey value remains the same, but sometimes it changes.
Since this value is per-endpoint this may indicate that the user logged in from more than one access device (different endpoints). Also, from https://duo.com/docs/endpoints: “Information for a given endpoint is purged after 30 days of inactivity.” If a user logs in infrequently the original endpoint with
epkey=whatever might be purged so a new auth > 30 days after that would result in a new
epkey for that endpoint
Does that info help?
Thanks for the info. So in the case that there is an authentication to a user account from a new IP address, and the epkey value is the same as previous logins to that user account, can we assume that this is the same access device attempting to login? Or could a different device with similar properties potentially receive the same epkey?
Yes, that is a safe assumption. The epkey is a random identifier so it should be statistically improbable that the epkey assigned to deviceA would be assigned to deviceB should the deviceA endpoint age out/get purged from Duo.
The auth log shows other information about the endpoint to correlate that it could gather depending on access application, Duo trust implementation, and Duo edition (OS, browser, hostname), to help an admin determine if it is the same device.