Duo Universal Prompt Project | Information Systems & Computing

As part of Penn’s Identity & Access Management (IAM) Program, improvements to the Two-Step Verification user experience were implemented on November 14, 2023 with the release of Duo Universal Prompt. Duo Universal Prompt is a vendor-supplied Multi-Factor Authentication (MFA) application that replaced Penn’s custom solution for PennKey Two-Step Verification. PennKey is now integrated directly with Duo for a seamless user experience. Duo Universal Prompt provides a modern, secure, easy-to-use login interface and a simpler way to add and manage devices.

Details

Who Is Affected?

All PennKey Two-Step users and PennKey support providers are affected by the changes.

What Changed?

Current PennKey Two-Step Verification users do not have to re-download the Duo Mobile app, but will see the following changes:

Users will see the new Duo Universal Prompt UI instead of the previous Penn custom interface during PennKey WebLogin (see screenshots below).

All existing “Trust this browser” sessions will have expired.
- Users need to authenticate with Two-Step upon their first login after rollout.
- Duo Universal Prompt enforces a 60-day limit on trusted browsers. Browser trust is now enabled by clicking “Yes, this is my device” during login.
New login options are supported – USB security keys and Touch ID (Apple).
Some legacy Two-Step functions were retired (see below).
PennO365 Two-Step also changed to Duo Universal Prompt – Device trust now works across PennKey SSO and O365 logins.
The PennKey Login UI was refreshed and modernized with no functionality changes.

Retired Functions

The following legacy Two-Step functions were retired upon rollout of Duo Universal Prompt. See below for replacement information for retired functions:

Retired Function	Replaced By	Notes
“Generate Codes” (printed codes)	Code generating function within Duo Mobile app or Duo fob	If generating codes from within Duo Mobile app, users do not have to be online (no phone or internet service needed)
User Dashboard (enroll, manage settings, trouble logging in)	Duo Device Management Portal	Use the Duo Device Management Portal to add, rename, or delete devices
New Google Authenticator Registrations	Duo Mobile app	Existing Google Authenticator registrations will continue to work but are not supported or recommended
New SafeID fobs (will no longer be distributed on campus)	Duo fobs and hardware security keys	Existing SafeID fobs will continue to work
“Help a Friend”	N/A	Method no longer supported
Two-Step Admin Console (PennKey Support Providers)	New PennKey support application/Penn Community	Training sessions on using the Two-Step support tools in the new PennKey support application were held for support providers

Documentation & Help

Documentation

Two-Step Verification help documentation website
Duo's documentation: Duo Universal Prompt guide.

Managing Devices

Use the Duo Device Management Portal to add, rename, or delete devices:
- Duo documentation to Add Another Device when in the Duo Device Management Portal.
- Duo documentation to Rename or Remove a Device when in the Duo Device Management Portal.

User Help

Users can find support contacts on the Two-Step Verification help contacts page

Support Providers

See the Two-Step Information for LSPs page for:
- More information on the Duo Universal Prompt rollout (including policy changes)
- Links to end-user resources
- Common technical issues
- Info on how to escalate an issue
- FAQs
For Two-Step documentation, visit the Two-Step Verification help site
For Identity Proofing guidance, see the ID Proofing Guidance for PennKey Administrators document
For issues, support providers may contact ISC Client Care
For user help contacts, see the Two-Step Verification help contacts page

Updates

Duo Push Security Enhancement – April 3, 2024