Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2374
Views
1
Helpful
3
Replies

Looking for more info on the epkey field

Brian123
Level 1
Level 1

‎08-27-2021 09:26 AM

I was wondering if I could get some information on the epkey field found under the access device in Duo logs. The only documentation I’ve found states it’s “The endpoint’s unique identifier”. I’m a security consultant, and certain organizations have this field in their logs while others do not. Is this field only present for certain Duo plans? How is the epkey assigned? Sometimes the epkey value remains the same, but sometimes it changes. Was hoping to get some insight into this field, specifically in what conditions it would remain the same versus change among multiple authentications for a user. Thanks.

Labels:
0 Helpful
3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

‎08-30-2021 08:24 AM

Is this field only present for certain Duo plans?

From Duo Admin API | Duo Security Endpoint information retrievable by Duo Beyond and Duo Access customers. In addition, some response information is available only with Duo Beyond.

The only documentation I’ve found states it’s “The endpoint’s unique identifier”.

There’s no hidden meaning. It’s just a generated string assigned to the endpoint to identify it in Duo, just like user_id is a string that identifies a user in Duo.

Sometimes the epkey value remains the same, but sometimes it changes.

Since this value is per-endpoint this may indicate that the user logged in from more than one access device (different endpoints). Also, from https://duo.com/docs/endpoints: “Information for a given endpoint is purged after 30 days of inactivity.” If a user logs in infrequently the original endpoint with epkey=whatever might be purged so a new auth > 30 days after that would result in a new epkey for that endpoint epkey=differentwhatever.

Does that info help?

Duo, not DUO.

Brian123
Level 1
Level 1

‎09-01-2021 05:54 AM

Thanks for the info. So in the case that there is an authentication to a user account from a new IP address, and the epkey value is the same as previous logins to that user account, can we assume that this is the same access device attempting to login? Or could a different device with similar properties potentially receive the same epkey?

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Brian123

‎09-07-2021 05:33 AM

Yes, that is a safe assumption. The epkey is a random identifier so it should be statistically improbable that the epkey assigned to deviceA would be assigned to deviceB should the deviceA endpoint age out/get purged from Duo.

The auth log shows other information about the endpoint to correlate that it could gather depending on access application, Duo trust implementation, and Duo edition (OS, browser, hostname), to help an admin determine if it is the same device.

Duo, not DUO.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents