惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
L
LangChain Blog
雷峰网
雷峰网
罗磊的独立博客
Hugging Face - Blog
Hugging Face - Blog
T
Tailwind CSS Blog
V
Visual Studio Blog
博客园_首页
Apple Machine Learning Research
Apple Machine Learning Research
Last Week in AI
Last Week in AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 司徒正美
有赞技术团队
有赞技术团队
J
Java Code Geeks
酷 壳 – CoolShell
酷 壳 – CoolShell
大猫的无限游戏
大猫的无限游戏
Engineering at Meta
Engineering at Meta
B
Blog
Recent Announcements
Recent Announcements
C
Check Point Blog
MongoDB | Blog
MongoDB | Blog
GbyAI
GbyAI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
F
Full Disclosure
Microsoft Security Blog
Microsoft Security Blog
N
Netflix TechBlog - Medium
I
InfoQ
云风的 BLOG
云风的 BLOG
量子位
D
Docker
D
DataBreaches.Net
Vercel News
Vercel News
Blog — PlanetScale
Blog — PlanetScale
宝玉的分享
宝玉的分享
V
V2EX
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Y
Y Combinator Blog
美团技术团队
小众软件
小众软件
阮一峰的网络日志
阮一峰的网络日志
博客园 - 聂微东
B
Blog RSS Feed
MyScale Blog
MyScale Blog
月光博客
月光博客
T
The Blog of Author Tim Ferriss
WordPress大学
WordPress大学
aimingoo的专栏
aimingoo的专栏
M
MIT News - Artificial intelligence
U
Unit 42
Google DeepMind News
Google DeepMind News

The Duo Blog

Identity orchestration & cloud-native IAM: Time to rethink | Cisco Duo Active Directory security: how to stop modern threats | Cisco Duo Duo + PlainID: Dynamic Authorization Meets Enterprise Identity | Cisco Duo Continuous identity security explained | Cisco Duo Salesforce The modern MFA toolkit: push, biometrics, and security keys | Cisco Duo Cisco Duo Identity Summit Preview | Cisco Duo Duo Brings Identity and Authorization Across AI Agent Gateways | Cisco Duo Passwordless for Microsoft 365 starts with federation Custom Admin Roles: Granular control for every Duo admin Token theft, vendor abuse, and the new identity threat surface How Duo Directory automates user lifecycle management Cisco Systems Named a Customers’ Choice in Gartner Peer Insights™ 2026 Voice of the Customer for Access Management Identity provider resilience: backup and split IdP approaches | Cisco Duo Agentic AI Security: Three Threats Your Team Should Know | Cisco Duo Secure client access at scale with Duo and Meraki | Cisco Duo IdP Concentration Risk: Why Single-IdP Dependency Puts You at Risk | Cisco Duo Endpoint Management as an Attack Vector: Lessons from Stryker | Cisco Duo Passwordless authentication without cookies: Duo Push updates Introducing Duo Agentic Identity Simplify compliance with MFA, device trust, and policies Cisco Systems Named a Customers’ Choice in Gartner® Peer Insights™ 2026 Voice of the Customer for User Authentication Why identity-led security matters for MSPs right now The Hitchhiker’s Guide to Shibboleth Launching Active Directory Defense: Strengthen On-Prem AD Security | Duo Security Industry specific IAM for MSPs Duo delivers: 99.99% uptime SLA for every customer
Solving the double prompt: Better UX with AMR in Duo SSO
Alan Hu · 2026-03-12 · via The Duo Blog

Industry News

Headshot of Alan Hu, Product Manager

3 minute read

As security threats become more sophisticated, the context of an authentication event matters just as much as the success of the event itself.

This is where Authentication Method Reference (AMR) comes into the picture. We are excited to discuss the integration of AMR support into Duo SSO, a new feature designed to provide granular visibility, enhance security control, and significantly streamline the user experience for your workforce.

What is Authentication Method Reference (AMR)?

Authentication Method Reference (AMR) is a standard that allows Identity Providers (IdPs) to share specific details about how a user authenticated during a session.

Without AMR, an identity provider simply tells an application, "This user is verified." With AMR, the IdP communicates exactly how verification happened, such as:

  • "This user verified using a password"

  • "This user verified using a biometric factor"

  • "This user completed multi-factor authentication"

Duo SSO now supports AMR in both SAML and OIDC protocols, moving towards a more nuanced authentication framework that provides additional visibility and context.

Why AMR matters now: meeting mandatory MFA requirements

Major platforms no longer treat MFA as optional. A prime example occurred on February 3, 2026, when Salesforce began enforcing mandatory MFA for direct logins to combat compromised credentials and account takeovers. Google Cloud has announced similar measures are being rolled out to all users.

If your organization uses SSO to access these platforms and others, this presents a challenge. It is not enough for the IdP to simply log the user in; the IdP must signal that MFA was performed to satisfy these requirements. Otherwise, your users may be blocked from access or forced to register for a separate, redundant MFA method with the service provider.

We expect to continue seeing this trend, with more service providers adopting similar requirements in the future. AMR in Duo SSO ensures that you can meet these evolving third-party mandates without adding friction for your users.

How Duo SSO solves the “double prompt” problem

Consider the experience when logging into Salesforce after the MFA mandate took effect. If the IdP does not send the AMR values, Salesforce assumes that MFA did not happen. This triggers a redundant “double prompt” scenario: the user performs MFA to satisfy the SSO requirement but is immediately forced by Salesforce to register or authenticate again.

AMR eliminates this redundancy. By passing precise authentication details via the OIDC ID Token or the SAML AuthNContext portion of the assertion, Salesforce recognizes that a strong MFA method was already used during the SSO flow. It will then dynamically skip the second prompt, creating a frictionless experience for your users without compromising security or increasing help desk tickets.

AMR support represents a shift from static authentication to dynamic, context-aware security. By implementing standards-compliant AMR mappings, Duo SSO ensures that you can meet rigorous security requirements while keeping the user experience simple and straightforward.

How to configure AMR in Duo SSO

Enable AMR values for both new and existing Duo SSO integrations. Duo maps your authentication methods to standard AMR values automatically.

To get started:

New to Duo? Start a free trial to see how Duo SSO simplifies authentication for your workforce.

Frequently asked questions about AMR in Duo SSO

  • What is Authentication Method Reference?

    Authentication Method Reference (AMR) is a standard that allows identity providers to communicate exactly how a user authenticated during a session. Instead of simply confirming a user is verified, AMR specifies whether the user authenticated with a password, biometric, hardware token, or multi-factor authentication. Duo SSO supports AMR values in both SAML and OIDC protocols.

  • How do I configure AMR in Duo SSO?

  • Why is Salesforce requiring MFA for SSO users?

  • What is the double-prompt problem?

  • Does Duo SSO support AMR for applications other than Salesforce?