Privacy for personal phones?

jimbob2 · ‎06-26-2020

Hi there! New to DUO and to this community, and wondering about privacy when employees of an organization using DUO authentication install the Duo Mobile authentication app on their personally owned phones. How much–and what–data are administrators able to gather from personal phones?

Thanks!

Amy2 · ‎06-30-2020

Hi @jimbob, that is a great question! Trust and transparency are at the heart of everything we do, and we take our end-users’ privacy very seriously. You can read the full Duo Mobile Privacy Policy to learn more about the device data permissions Duo Mobile requests and why. (In general, Duo Mobile cannot access things like your contacts, photos, text messages, and emails.)

Your question specifically concerns the data administrators have access to though. That info can be found in our guide to reading the Authentication Log report in the Duo Admin Panel. Duo admins generally can see the following about personal phones used to authenticate into Duo-protected applications:

If an authentication attempt was denied due to a policy you have in place, such as a device using an out-of-date version of software.
Access Device: The OS, browser, Flash version, Java version, location, and IP address of the device used to access the Duo-protected application. Some of this information will only appear if it is available (such as location) or applicable.
Second Factor: Shows the method used as a second factor, the type of device used to complete 2FA, the location of the device, and the IP address of the device. Some of this information will only appear if it is available or applicable.

I hope that answer helps! Let me know if you have additional questions. Oh, and welcome to the Duo Community

jimbob2 · ‎07-14-2020

Hi Amy,

This answers my question.

Thanks!