Looking for more info on the epkey field

I was wondering if I could get some information on the epkey field found under the access device in Duo logs. The only documentation I’ve found states it’s “The endpoint’s unique identifier”. I’m a security consultant, and certain organizations have this field in their logs while others do not. Is this field only present for certain Duo plans? How is the epkey assigned? Sometimes the epkey value remains the same, but sometimes it changes. Was hoping to get some insight into this field, specifically in what conditions it would remain the same versus change among multiple authentications for a user. Thanks.

Is this field only present for certain Duo plans?

From Duo Admin API | Duo Security Endpoint information retrievable by Duo Beyond and Duo Access customers. In addition, some response information is available only with Duo Beyond.

The only documentation I’ve found states it’s “The endpoint’s unique identifier”.

There’s no hidden meaning. It’s just a generated string assigned to the endpoint to identify it in Duo, just like user_id is a string that identifies a user in Duo.

Sometimes the epkey value remains the same, but sometimes it changes.

Since this value is per-endpoint this may indicate that the user logged in from more than one access device (different endpoints). Also, from https://duo.com/docs/endpoints: “Information for a given endpoint is purged after 30 days of inactivity.” If a user logs in infrequently the original endpoint with epkey=whatever might be purged so a new auth > 30 days after that would result in a new epkey for that endpoint epkey=differentwhatever.

Does that info help?

1 Like

Thanks for the info. So in the case that there is an authentication to a user account from a new IP address, and the epkey value is the same as previous logins to that user account, can we assume that this is the same access device attempting to login? Or could a different device with similar properties potentially receive the same epkey?

Yes, that is a safe assumption. The epkey is a random identifier so it should be statistically improbable that the epkey assigned to deviceA would be assigned to deviceB should the deviceA endpoint age out/get purged from Duo.

The auth log shows other information about the endpoint to correlate that it could gather depending on access application, Duo trust implementation, and Duo edition (OS, browser, hostname), to help an admin determine if it is the same device.