Project Status: Underway
On July 15, 2026, support for SSO integrations within an iFrame window will be discontinued, specifically for MFA challenges. iFrames are a security risk for both the embedding and embedded sites. “Clickjacking” and phishing are specific risks that we are mitigating for sites that may have embedded a Duo MFA authentication. In addition, Duo security key features require us to end iFrame support. See below for details.
Who Is Affected?
- Web application developers and web service owners and managers are affected.
- Websites or portals that directly embed other PennKey-protected applications or Duo MFA integrated applications are most likely to be affected by this security change.
Impact & Actions Needed
- Applications that use iFrames during a Duo MFA authentication will no longer function on July 15.
- If your app currently lets people log in using SSO inside an iFrame, you’ll need to change this setup following general web application practices (e.g., authentication before iFrame or removing iFrame layers from content).
What Happens If No Action Is Taken
- Users may lose access to embedded content and will receive error messages like the following:
Image
Help & Resources
- Support Providers may contact ISC Client Care for issues.
- Duo Knowledge Base article on iFrames.