Remember me with Duo Universal Prompt

Question

What has changed about the Remember me for 7 days feature in Duo Universal Prompt? 

Cause

Due to increased security measures by Duo, there are now Remember me and Do not remember me browser cookies that need to be considered.

Scenarios

There are four possible scenarios with the Remember me feature. Any of these can be reset with a deletion of your browser cache:

• Scenario 1: Establish trust?
• Scenario 2: The computer or device is trusted
• Scenario 3: Renew trust?
• Scenario 4: The computer or device is not trusted

Scenario 1: Establish trust?

This is what users see initially.  It’s what they see if they delete all their browser cookies. It’s what they’ll see if they switch to another web browser they previously were not using for authentications.

Your experience:

1. Attempting to log on to a protected service will redirect you to the single sign-on screen. Provide your Duck ID and password.
2. You'll be redirected to Duo.
3. The Duo screen will appear asking for a second factor and you provide the second-factor response.
   
4. Another Duo screen will appear asking if this is a trusted device. Upon selecting a response, you will be redirected to the protected service.
   
   1. If you click Yes, this is my device, then a seven-day trusted cookie is created. Proceed to Scenario 2 for next steps.
   2. If you click No, other people use this device then a 14-day not trusted cookie is created. Proceed to Scenario 4 for next steps.

Scenario 2: The computer or device is trusted

This is what you see when you have an active Remember me cookie in place on the browser being used. This will be experienced until the seven-day trusted cookie expires.

Your experience:

1. Attempting to log on to a protected service will redirect you to the single sign-on screen. Provide your Duck ID and password.
2. You'll be redirected to Duo.
3. The Duo screen appears on the Duo server for a brief second to validate the trusted cookie. You will be redirected to the protected service.
   

To see what happens after seven days has passed, proceed to Scenario 3.

Scenario 3: Renew trust?

This is what users will experience after their 7-day cookie has expired.  By default, the checkbox for Remember me is already checked, but they can uncheck it.

Your experience:

1. Attempting to log on to a protected service will redirect you to the single sign-on screen. Provide your Duck ID and password.
2. You'll be redirected to Duo.
3. The Duo screen will appear asking for a second factor showing the checked Remember me checkbox, and you provide the second-factor response.
   
   1. If you uncheck the Remember me checkbox, proceed to Scenario 4.
4. Another Duo screen will appear asking if this is a trusted device.
   1. If you click Yes, this is my device, then a seven-day trusted cookie is created. Proceed to Scenario 2 for next steps.
   2. If you click No, other people use this device then a 14-day not trusted cookie is created. Proceed to Scenario 4 for next steps.

Scenario 4: The computer or device is not trusted

This is what you would experience if you either:

• Deselected the Remember me checkbox in Scenario 3, or
• If you selected No, other people use this device in Scenario 1.

This will be your experience for 14 days after taking the action to not trust the device. You can go back to Scenario 1 if you delete your browser’s cookies.

Your experience:

1. Attempting to log on to a protected service will redirect you to the single sign-on screen. Provide your Duck ID and password.
2. You'll be redirected to Duo.
3. The Duo screen will appear asking for a second factor without the Remember me checkbox and you provide the second-factor response.
   
4. Upon verification, you will be redirected to the protected service.