惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Securelist
C
Cybersecurity and Infrastructure Security Agency CISA
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Security Affairs
Hacker News: Ask HN
Hacker News: Ask HN
L
Lohrmann on Cybersecurity
PCI Perspectives
PCI Perspectives
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
Cyber Attacks, Cyber Crime and Cyber Security
Recent Commits to openclaw:main
Recent Commits to openclaw:main
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
MyScale Blog
MyScale Blog
月光博客
月光博客
W
WeLiveSecurity
T
Threat Research - Cisco Blogs
Martin Fowler
Martin Fowler
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Recorded Future
Recorded Future
The GitHub Blog
The GitHub Blog
Webroot Blog
Webroot Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
TaoSecurity Blog
TaoSecurity Blog
P
Proofpoint News Feed
Google DeepMind News
Google DeepMind News
F
Full Disclosure
U
Unit 42
Jina AI
Jina AI
博客园 - 司徒正美
阮一峰的网络日志
阮一峰的网络日志
L
LINUX DO - 最新话题
宝玉的分享
宝玉的分享
大猫的无限游戏
大猫的无限游戏
The Hacker News
The Hacker News
The Last Watchdog
The Last Watchdog
T
Troy Hunt's Blog
腾讯CDC
T
Threatpost
H
Hacker News: Front Page
P
Palo Alto Networks Blog
博客园 - 聂微东
Last Week in AI
Last Week in AI
有赞技术团队
有赞技术团队
Help Net Security
Help Net Security
L
LINUX DO - 热门话题
N
News and Events Feed by Topic
人人都是产品经理
人人都是产品经理
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Spread Privacy
Spread Privacy

The Duo Blog

Active Directory security: how to stop modern threats | Cisco Duo Duo + PlainID: Dynamic Authorization Meets Enterprise Identity | Cisco Duo Continuous identity security explained | Cisco Duo Salesforce The modern MFA toolkit: push, biometrics, and security keys | Cisco Duo Cisco Duo Identity Summit Preview | Cisco Duo Duo Brings Identity and Authorization Across AI Agent Gateways | Cisco Duo Passwordless for Microsoft 365 starts with federation Custom Admin Roles: Granular control for every Duo admin Token theft, vendor abuse, and the new identity threat surface How Duo Directory automates user lifecycle management Cisco Systems Named a Customers’ Choice in Gartner Peer Insights™ 2026 Voice of the Customer for Access Management Identity provider resilience: backup and split IdP approaches | Cisco Duo Agentic AI Security: Three Threats Your Team Should Know | Cisco Duo Secure client access at scale with Duo and Meraki | Cisco Duo IdP Concentration Risk: Why Single-IdP Dependency Puts You at Risk | Cisco Duo Endpoint Management as an Attack Vector: Lessons from Stryker | Cisco Duo Introducing Duo Agentic Identity Solving the double prompt: Better UX with AMR in Duo SSO Simplify compliance with MFA, device trust, and policies Cisco Systems Named a Customers’ Choice in Gartner® Peer Insights™ 2026 Voice of the Customer for User Authentication Why identity-led security matters for MSPs right now The Hitchhiker’s Guide to Shibboleth Launching Active Directory Defense: Strengthen On-Prem AD Security | Duo Security Industry specific IAM for MSPs Duo delivers: 99.99% uptime SLA for every customer Cisco Secures 125K user identities with Duo while advancing passwordless journey NIST AAL2/3 compliance with Duo Mobile Proximity Verification From protocol to practice: Secure the AI agent ecosystem with Duo How to secure the holidays & prep your 2026 IAM strategy Simplify MSP technician authentication with Duo Delegated Access Standing out in a crowded MSP market Securing for third-party risk with Duo for identity management Thwarting adversary-in-the-middle attacks with Proximity Verification OAuth 2.0's next chapter: Enabling the AI security revolution The dawn of a simpler, helpful policy experience
Passwordless authentication without cookies: Duo Push updates
Kyle Mills, Lei Hung · 2026-03-26 · via The Duo Blog

Industry News

Device Trust without cookies: advancing passwordless with Duo Push

Headshot of Kyle Mills Headshot of Lei Hung, Product Manager

6 minute read

Going passwordless is one of the most impactful steps an organization can take to reduce phishing risk and simplify the authentication experience. We’ve seen broad customer adoption of Duo Push for passwordless thanks to its familiar user experience, and we’re committed to continuously improving that experience.

Today, we’re introducing enhancements to Duo Passwordless Push for Duo SSO apps that address limitations of the browser cookie-based approach used to establish device trust. Previously, switching browsers, setting up a new laptop, or simply clearing cookies could force users back to a password. That friction makes achieving true passwordless more difficult.

By integrating Duo Desktop into the passwordless workflow and adding Bluetooth proximity verification, we’ve made Duo Passwordless Push more resilient, more consistent, and ready for organizations that want to go all in without compromise.

The limitations of browser cookies as a trust signal

Duo Passwordless Push works by verifying that a user's browser is recognized before allowing access. Until now, that trust relied on a browser cookie. Cookies work in many use cases, but they come with limitations that surface in everyday scenarios.

For example, when logging in from an embedded browser where cookies don’t persist, Duo Passwordless Push becomes an unviable method and requires users to log in with another method; usually, that means passwords and two-factor authentication (2FA). For teams that have disabled password fallback to fully commit to passwordless, this can stop a user's day in its tracks.

Clearing cookies also means starting over. IT policies, browser updates, or users tidying up their settings can all wipe cookies.

Furthermore, when users get new laptops, no pre-existing trust signals like cookies exist to allow passwordless push. Users must either re-enroll or authenticate again on that device first to obtain a cookie before passwordless push is available to use. These limitations make achieving true passwordless challenging.

What’s new from Duo

Persistent Device Trust across browsers with Duo Desktop

With Duo Desktop registered on an endpoint, device trust is now stored server-side and tied to the device itself instead of a single browser. When a user marks a browser as known during authentication, that trust decision is associated with the endpoint through Duo Desktop. The next time they sign in, even from a different browser, Duo Desktop identifies the device and the trusted status carries over automatically.

Cookies are still supported as an optional fallback for scenarios where Duo Desktop is not running. This ensures a smooth rollout with no disruption.

In practice, this means users no longer lose device trust. Switching browsers, clearing cookies, or resetting profiles no longer sends them back to square one.

Bluetooth Proximity Verification for new endpoints

To address the new laptop problem, we’ve introduced a highly secure way to establish device trust. When a user signs in from an unrecognized endpoint, they’re prompted to enter a Duo Mobile one-time-passcode (OTP), followed by Bluetooth proximity verification. This confirms that their registered mobile device is physically nearby before completing the passwordless push.

This layered approach prevents common attacks such as push harassment and remote phishing. There’s no password, no fallback factor, and no manual Bluetooth device pairing. Duo Desktop and Duo Mobile handle the Bluetooth handshake seamlessly in the background while the user simply approves the push. The result is a clean, secure path to truly passwordless onboarding.

Granular controls for high-security environments

Administrators get two new policy options to tailor the authentication experience based on their risk tolerance:

  1. First, you can choose whether Bluetooth proximity verification is required only on unrecognized endpoints (the default) or required on every passwordless login for a stricter posture in more critical environments.

  2. Second, you can disable browser cookies as a trust signal. With Duo Desktop handling trust at the endpoint level, cookies are no longer necessary. Removing them from the equation means a stolen or replayed cookie can never be used to satisfy the device trust check for a passwordless push. This hardens your passwordless deployment against cookie theft without impacting user experience, since Duo Desktop handles device recognition seamlessly.

Duo Passwordless Push Just Works Everywhere

Passwordless authentication should simply work. It should feel natural to users, dependable across devices, and strong enough to meet modern security standards.

Duo Passwordless Push delivers that experience. Trust stays anchored to the device, creating consistency across browsers and sessions. New endpoints can establish trust quickly and securely from day one. At the same time, administrators gain granular controls to shape the experience according to their security requirements.

These enhancements make Duo Passwordless Push a robust, scalable foundation for organizations ready to embrace a true passwordless future.

To get started, visit our Passwordless Quick Start Guide and documentation.

Interested in learning more about how Duo helps defend against modern phishing attacks? Get the free guide to Building End-to-end Phishing Resistance or try it for yourself with a free trial of Duo IAM and Passwordless today.

Frequently asked questions about Duo Passwordless Push

What is Duo Passwordless Push?

Duo Passwordless Push allows users to authenticate without entering a password by verifying their identity through a push notification to the Duo Mobile app. It combines device trust verification with user approval to provide a secure, phishing-resistant login experience for applications protected by Duo Single Sign-On (SSO).

What about Passwordless Windows Logon?

The passwordless capabilities discussed in this post apply to web-based applications protected by Duo Single Sign-On (SSO), where users authenticate through a browser. Duo also offers Passwordless OS Logon feature for Windows, which eliminates passwords at the Windows desktop login screen itself. To learn more about Passwordless Windows Logon, visit here.

How does Duo Desktop improve passwordless device trust?

Duo Desktop stores device trust server-side and ties it to the endpoint rather than relying on a browser cookie. This means trust persists across browsers, survives cookie clearing, and carries over automatically when users switch between browsers on the same device.

How do I establish passwordless trust on a new laptop?

When a user signs in from an unrecognized endpoint, Duo prompts them to enter a Duo Mobile one-time passcode followed by Bluetooth proximity verification. This confirms that the user's registered mobile device is physically nearby, establishing device trust securely without requiring a password.

What is Bluetooth proximity verification in Duo?

Bluetooth proximity verification is a security feature that confirms a user's registered Duo Mobile device is physically near the endpoint during authentication. Duo Desktop and Duo Mobile handle the Bluetooth handshake automatically in the background, requiring no manual device pairing from the user.

Can I disable browser cookies for Duo Passwordless Push?

Yes, administrators can disable browser cookies as a trust signal through Duo policy controls. With Duo Desktop handling device trust at the endpoint level, cookies are no longer necessary. Disabling cookies prevents stolen or replayed cookies from satisfying the device trust check for passwordless push.

What is the difference between cookie-based and device-based trust in Duo?

Cookie-based trust relies on a browser cookie to recognize a device, which means trust is lost when cookies are cleared, browsers are switched, or a new device is used. Device-based trust through Duo Desktop ties recognition to the endpoint itself and stores it server-side. This approach provides consistent trust across browsers and sessions without depending on cookies.