Seamless Application Access with Duo Passport

Cisco Duo has evolved in to a robust Zero Trust security solution, with features delving way beyond those of an MFA solution. Read on to learn more about Duo’s newest enhancement, Duo Passport.

Duo passport allows for a simplified application access experience by allowing users to seamlessly share remembered device sessions between applications. Additionally, Duo Passport with Duo authentication for Windows Logon and Duo SSO, users’ sessions will be shared after the initial sign-in into Windows with Duo, allowing them to access both browser and desktop apps without needing to re-enter primary auth or completing Duo MFA. Let’s dive into the details.

Remembered Devices is a feature within Duo that allows organizations to allow a device to be deemed trustworthy and require MFA less frequently via policy, allowing users to bypass 2FA for up to seven days if no security risk or location change is detected.

Prior to Duo Passport, Duo would store a trusted session/remembered device information in applications accessed in the browser. In the case of Window’s logon, the remembered device session would be stored on the device itself, however, session information wouldn’t be shared between web and/ desktop apps, meaning that the user would have to enter their primary credentials and go through the entire MFA process, or access via the passwordless MFA process, for each individual application.

With the addition of Duo Passport, users now can share distinct Duo session data between browser-based applications, desktop clients, and Duo for Windows.

Duo Passport requires the Duo Desktop application, specifically it’s Automatic Registration and Payload Signing capabilities.

Duo Desktop is utilized for advanced use-cases, such as determining the posture of devices, whether a device is managed or unmanaged, and many of other security and organizational standards prior to allowing devices access to applications.

Duo Automatic Registration is a feature in which if Duo Desktop is not registered, automatic registration will occur when a user accesses a Duo-Protected App and completes 2FA.

From there, Duo Desktop will generate a Key Pair, storing the private key on the Access Device and sending the public key to Duo to be stored and associated with the user attempting access, their account, as well as the access device. This exchange allows Duo to remember the session data. If any changes happen within these factors, the registration process will repeat.

Duo Desktop Payload Signing takes the private key generated during registration and uses it to cryptographically sign the data payloads send by Duo Desktop. From there, the signature is verified via the public key shared with Duo during registration. Should the payloads signature not match for any reason, the user's access will be blocked.

How Does this Look from an End-User Perspective?

The user will log into a web application from their browser and will be asked in the Duo Prompt presented whether they want their device to be remembered.

This trust session is shared to both the user’s desktop applications, as well as any web applications they may access for the duration of their remembered session, omitting the need for the user to reauthenticate.

From there, Duo Desktop generates a signature for its health report, and compares this data with Duo authentication data by looking up the remembered record for the device and the user to see if the user has authenticated on the same device recently, triangulating the initial MFA process and thus allowing the user to access without 2FA.

Duo Passport for Duo Authentication for Windows Logon works similarly, however, once a user completes the initial MFA upon initial Windows logon, their session will be remembered from there, allowing them to log into Duo-protected SSO applications, both browser and desktop-based, without having to authenticate again.

In the case of Windows Logon, the user's Remembered session will stay in-tact for the desired length of time determined via policy and will not terminate upon windows logout.

In summary, there are two approaches for Duo Passport:

• Apply a Remembered Device policy for all browser applications
• Install the Duo Desktop application on Windows and MacOS clients
• Duo protected apps can either be 2FA-only apps, or Duo SSO

• Apply a Remembered Devices policy for Windows logon and browser apps
• Upon user sign-in to Windows with Duo MFA, a Remembered Device session will be initiated
• Remembered Session will be shared with Duo-protected Web Applications or Desktop applications, omitting the need to re-authenticate

To learn more about how to optimize your organization’s Zero Trust Strategy with Cisco Duo, please reach out to the ModernCyber Team to learn more about our Professional Services, Deployment Evaluation, and Enablement services.