Hello: We came across this during one of our rollouts. The PreAuth API does not seem to return U2F tokens for users. Since we use the PreAuth check as a method of routing users to the IFrame, this means that a user with only U2F Tokens would not be seen as “enrolled”.
You’re correct, we do not return U2F tokens in a
Please note that we only recommend using the AuthAPI
ping calls in a Duo Web integration, per our instructions here: Duo Web Two-Factor Authentication for Your Web Application | Duo Security.
I’m also confused by the logic you describe… wouldn’t you want an unenrolled user to hit the frame to enroll?
Regardless, this isn’t a recommend use of the AuthAPI
Check and Ping are not user specific and make the assumption that we send all users to the Duo IFrame. We currently have a mix of enrolled users and users pending their enrollment dates. PreAuth allows us to pull back the list of devices and their enrollment status (which we have found to be unreliable since we are not leveraging the bulk enrollment. Ex: Users created through the API, but with no devices report as “auth” and not “enroll”. For us, this translates to any users known to Duo will be presented with the enrollment iframe). PreAuth has been a work around. We are currently re-coding our “PreAuth” check to pull the user instead where all tokens are listed, however this will be much heavy call. My Contact Information is associated with my account if you want further information.