惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
N
News and Events Feed by Topic
D
DataBreaches.Net
MongoDB | Blog
MongoDB | Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Engineering at Meta
Engineering at Meta
T
Tailwind CSS Blog
博客园_首页
Microsoft Azure Blog
Microsoft Azure Blog
Y
Y Combinator Blog
博客园 - Franky
Hugging Face - Blog
Hugging Face - Blog
月光博客
月光博客
A
About on SuperTechFans
I
InfoQ
S
Securelist
Last Week in AI
Last Week in AI
S
Schneier on Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
Hacker News: Ask HN
Hacker News: Ask HN
Schneier on Security
Schneier on Security
Know Your Adversary
Know Your Adversary
腾讯CDC
大猫的无限游戏
大猫的无限游戏
S
Security @ Cisco Blogs
博客园 - 三生石上(FineUI控件)
Simon Willison's Weblog
Simon Willison's Weblog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Tor Project blog
美团技术团队
aimingoo的专栏
aimingoo的专栏
G
Google Developers Blog
罗磊的独立博客
Vercel News
Vercel News
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
The Cloudflare Blog
S
Secure Thoughts
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Latest news
Latest news
Recent Announcements
Recent Announcements
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
L
LINUX DO - 热门话题
Security Latest
Security Latest
TaoSecurity Blog
TaoSecurity Blog
Cyberwarzone
Cyberwarzone
有赞技术团队
有赞技术团队

The Duo Blog

Active Directory security: how to stop modern threats | Cisco Duo Duo + PlainID: Dynamic Authorization Meets Enterprise Identity | Cisco Duo Continuous identity security explained | Cisco Duo Salesforce The modern MFA toolkit: push, biometrics, and security keys | Cisco Duo Cisco Duo Identity Summit Preview | Cisco Duo Duo Brings Identity and Authorization Across AI Agent Gateways | Cisco Duo Passwordless for Microsoft 365 starts with federation Custom Admin Roles: Granular control for every Duo admin Token theft, vendor abuse, and the new identity threat surface How Duo Directory automates user lifecycle management Cisco Systems Named a Customers’ Choice in Gartner Peer Insights™ 2026 Voice of the Customer for Access Management Identity provider resilience: backup and split IdP approaches | Cisco Duo Agentic AI Security: Three Threats Your Team Should Know | Cisco Duo Secure client access at scale with Duo and Meraki | Cisco Duo IdP Concentration Risk: Why Single-IdP Dependency Puts You at Risk | Cisco Duo Endpoint Management as an Attack Vector: Lessons from Stryker | Cisco Duo Introducing Duo Agentic Identity Solving the double prompt: Better UX with AMR in Duo SSO Simplify compliance with MFA, device trust, and policies Cisco Systems Named a Customers’ Choice in Gartner® Peer Insights™ 2026 Voice of the Customer for User Authentication Why identity-led security matters for MSPs right now The Hitchhiker’s Guide to Shibboleth Launching Active Directory Defense: Strengthen On-Prem AD Security | Duo Security Industry specific IAM for MSPs Duo delivers: 99.99% uptime SLA for every customer
Passwordless authentication without cookies: Duo Push updates
Kyle Mills, Lei Hung · 2026-03-26 · via The Duo Blog

Industry News

Device Trust without cookies: advancing passwordless with Duo Push

Headshot of Kyle Mills Headshot of Lei Hung, Product Manager

6 minute read

Going passwordless is one of the most impactful steps an organization can take to reduce phishing risk and simplify the authentication experience. We’ve seen broad customer adoption of Duo Push for passwordless thanks to its familiar user experience, and we’re committed to continuously improving that experience.

Today, we’re introducing enhancements to Duo Passwordless Push for Duo SSO apps that address limitations of the browser cookie-based approach used to establish device trust. Previously, switching browsers, setting up a new laptop, or simply clearing cookies could force users back to a password. That friction makes achieving true passwordless more difficult.

By integrating Duo Desktop into the passwordless workflow and adding Bluetooth proximity verification, we’ve made Duo Passwordless Push more resilient, more consistent, and ready for organizations that want to go all in without compromise.

The limitations of browser cookies as a trust signal

Duo Passwordless Push works by verifying that a user's browser is recognized before allowing access. Until now, that trust relied on a browser cookie. Cookies work in many use cases, but they come with limitations that surface in everyday scenarios.

For example, when logging in from an embedded browser where cookies don’t persist, Duo Passwordless Push becomes an unviable method and requires users to log in with another method; usually, that means passwords and two-factor authentication (2FA). For teams that have disabled password fallback to fully commit to passwordless, this can stop a user's day in its tracks.

Clearing cookies also means starting over. IT policies, browser updates, or users tidying up their settings can all wipe cookies.

Furthermore, when users get new laptops, no pre-existing trust signals like cookies exist to allow passwordless push. Users must either re-enroll or authenticate again on that device first to obtain a cookie before passwordless push is available to use. These limitations make achieving true passwordless challenging.

What’s new from Duo

Persistent Device Trust across browsers with Duo Desktop

With Duo Desktop registered on an endpoint, device trust is now stored server-side and tied to the device itself instead of a single browser. When a user marks a browser as known during authentication, that trust decision is associated with the endpoint through Duo Desktop. The next time they sign in, even from a different browser, Duo Desktop identifies the device and the trusted status carries over automatically.

Cookies are still supported as an optional fallback for scenarios where Duo Desktop is not running. This ensures a smooth rollout with no disruption.

In practice, this means users no longer lose device trust. Switching browsers, clearing cookies, or resetting profiles no longer sends them back to square one.

Bluetooth Proximity Verification for new endpoints

To address the new laptop problem, we’ve introduced a highly secure way to establish device trust. When a user signs in from an unrecognized endpoint, they’re prompted to enter a Duo Mobile one-time-passcode (OTP), followed by Bluetooth proximity verification. This confirms that their registered mobile device is physically nearby before completing the passwordless push.

This layered approach prevents common attacks such as push harassment and remote phishing. There’s no password, no fallback factor, and no manual Bluetooth device pairing. Duo Desktop and Duo Mobile handle the Bluetooth handshake seamlessly in the background while the user simply approves the push. The result is a clean, secure path to truly passwordless onboarding.

Granular controls for high-security environments

Administrators get two new policy options to tailor the authentication experience based on their risk tolerance:

  1. First, you can choose whether Bluetooth proximity verification is required only on unrecognized endpoints (the default) or required on every passwordless login for a stricter posture in more critical environments.

  2. Second, you can disable browser cookies as a trust signal. With Duo Desktop handling trust at the endpoint level, cookies are no longer necessary. Removing them from the equation means a stolen or replayed cookie can never be used to satisfy the device trust check for a passwordless push. This hardens your passwordless deployment against cookie theft without impacting user experience, since Duo Desktop handles device recognition seamlessly.

Duo Passwordless Push Just Works Everywhere

Passwordless authentication should simply work. It should feel natural to users, dependable across devices, and strong enough to meet modern security standards.

Duo Passwordless Push delivers that experience. Trust stays anchored to the device, creating consistency across browsers and sessions. New endpoints can establish trust quickly and securely from day one. At the same time, administrators gain granular controls to shape the experience according to their security requirements.

These enhancements make Duo Passwordless Push a robust, scalable foundation for organizations ready to embrace a true passwordless future.

To get started, visit our Passwordless Quick Start Guide and documentation.

Interested in learning more about how Duo helps defend against modern phishing attacks? Get the free guide to Building End-to-end Phishing Resistance or try it for yourself with a free trial of Duo IAM and Passwordless today.

Frequently asked questions about Duo Passwordless Push

What is Duo Passwordless Push?

Duo Passwordless Push allows users to authenticate without entering a password by verifying their identity through a push notification to the Duo Mobile app. It combines device trust verification with user approval to provide a secure, phishing-resistant login experience for applications protected by Duo Single Sign-On (SSO).

What about Passwordless Windows Logon?

The passwordless capabilities discussed in this post apply to web-based applications protected by Duo Single Sign-On (SSO), where users authenticate through a browser. Duo also offers Passwordless OS Logon feature for Windows, which eliminates passwords at the Windows desktop login screen itself. To learn more about Passwordless Windows Logon, visit here.

How does Duo Desktop improve passwordless device trust?

Duo Desktop stores device trust server-side and ties it to the endpoint rather than relying on a browser cookie. This means trust persists across browsers, survives cookie clearing, and carries over automatically when users switch between browsers on the same device.

How do I establish passwordless trust on a new laptop?

When a user signs in from an unrecognized endpoint, Duo prompts them to enter a Duo Mobile one-time passcode followed by Bluetooth proximity verification. This confirms that the user's registered mobile device is physically nearby, establishing device trust securely without requiring a password.

What is Bluetooth proximity verification in Duo?

Bluetooth proximity verification is a security feature that confirms a user's registered Duo Mobile device is physically near the endpoint during authentication. Duo Desktop and Duo Mobile handle the Bluetooth handshake automatically in the background, requiring no manual device pairing from the user.

Can I disable browser cookies for Duo Passwordless Push?

Yes, administrators can disable browser cookies as a trust signal through Duo policy controls. With Duo Desktop handling device trust at the endpoint level, cookies are no longer necessary. Disabling cookies prevents stolen or replayed cookies from satisfying the device trust check for passwordless push.

What is the difference between cookie-based and device-based trust in Duo?

Cookie-based trust relies on a browser cookie to recognize a device, which means trust is lost when cookies are cleared, browsers are switched, or a new device is used. Device-based trust through Duo Desktop ties recognition to the endpoint itself and stores it server-side. This approach provides consistent trust across browsers and sessions without depending on cookies.