Welcome to Duo Security’s Federal Guide to Duo’s FedRAMP Authorized Federal Editions. All Federal Edition product differences outlined within this guide were completed to ensure product alignment with FedRAMP/NIST 800-53 security controls, NIST’s Digital Identity Guidelines (SP 800-63-3), and FIPS 140-2 compliance requirements for Duo’s US Federal/Public Sector customers. Learn more about Duo’s Federal Editions.
If you’re a US Federal Agency and you need to access Duo’s FedRAMP Authorization Package please leverage OMB’s MAX Portal or contact your Duo Federal Account Executive.
To sign-up for Duo’s federal editions, please fill out the contact form on Duo's Federal Editions page. Once submitted, Duo will reach out to qualify and confirm eligibility to ensure customers are federal agencies, federal contractors, public sector entities, or Cloud Service Providers (CSPs) pursuing FedRAMP.
Duo’s integrations communicate with Duo's service via HTTPS on TCP port 443, for both standard and federal editions.
Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo KB article 1337 for additional information.
Many of Duo’s applications support the use of an HTTP proxy to provide connectivity to Duo. Check the documentation or FAQs for the Duo applications you will be deploying to determine if they support HTTP proxy.
Duo's federal and standard editions use the same core components and are administered in the same way, via the Duo Admin Panel. Most administration and deployment tasks in Duo federal editions use the same published instructions available at /docs.
This document describes how Duo's federal editions differ from Duo’s standard editions.
Duo's federal editions strictly require TLS 1.2 secured communications. Ensure that your Duo application versions and the operating systems of the hosts where you install Duo applications also support TLS 1.2.
Additionally, the API host domain for federal editions is
duofederal.com instead of the
duosecurity.com domain used by Duo standard editions.
Duo randomly generates 40-character application secret keys ("skeys") and client secrets with FIPS-validated Deterministic Random Bit Generators (DRBG) using the Cisco FIPS Object Module.
Duo Push and Duo Mobile passcode authentication methods on iOS 6 and later and on Android (as of Duo Mobile version 3.25.0) are FIPS 140-2 compliant by default with no configuration required by administrators. Learn more about Duo Mobile FIPS support in Duo’s Knowledge Base.
Duo Federal plans exclude these Duo features and functionality.
Trusted Endpoints, which restricts application access to managed devices, is not available in federal editions.
Duo Device Health, which verifies endpoint security posture when accessing applications, is not available in federal editions.
Duo Network Gateway, a reverse proxy for on-premises web application, RDP, and SSH connectivity with MFA, is not available in federal editions.
Duo Single Sign-On, our hosted SAML 2.0 identity provider, is not available in federal editions. You may use Duo Access Gateway, our on-premises SAML identity provider, with your Duo Federal customer account to provide single sign-on for applications. The end-of-life information and dates published on the Duo Access Gateway documentation pages apply to Duo's commercial editions.
Duo Trust Monitor, which analyzes and models authentication telemetry in order to highlight potentially suspicious user and device access activity, is not available in federal editions.
Risk-Based Authentication detects risk and automatically provides step-up authentication, and is not available in federal editions.
Duo's federal editions do not include the direct LDAPS integrations for Cisco ASA or Juniper/Pulse Secure SSL VPNs. Customers who wish to protect these VPNs can do so via RADIUS, with the Cisco ASA RADIUS and Juniper SA RADIUS or Pulse Secure RADIUS configurations, which require local installation of the Duo Authentication Proxy. An alternative to RADIUS is SAML 2.0 SSO, with the Duo Access Gateway and the Cisco ASA SAML or DAG Generic SAML (for Juniper/Pulse) SSO applications.
Note that the Duo Authentication Proxy is only FIPS-compliant for LDAPS communications, so if end-to-end FIPS is required you can protect these VPNs via LDAPS to the Duo proxy. Ask your Duo sales or customer success engineer for more details.
Duo's commercial editions support Azure Conditional Access via a custom control. Microsoft’s Government Cloud does not support custom controls for conditional access in Azure Government’s Active Directory service today. Therefore, Duo's federal editions do not include access to this application.
These Duo features and software applications have additional requirements (or limitations) for operation or use with Duo Federal plans.
Logs and reports in Duo Federal may not show the same level of detail or full complement of events available in commercial Duo editions.
Duo Federal customers may use OIDC-based Auth API applications and enable Duo Universal Prompt for supported applications. The applications not in-scope for Universal Prompt remain the same for both Duo Federal and Duo commercial editions.
Duo Federal's Universal Prompt feature availability matches the feature availability for Duo commercial customers, with the following exceptions:
Universal Prompt is not enabled as the default experience for newly-created supported applications in Duo Federal accounts.
Self-enrollment: new users performing first-time Duo enrollment from a Duo Federal tenant application with Universal Prompt activated or using an enrollment link emailed to the user will fall back to the traditional prompt experience.
Self-service device management: there is no link in the Duo Federal Universal Prompt for previously enrolled users to add a new device or manage existing devices. The recommended workaround for this is to make self-service device management available in an application still using the traditional prompt.
Duo Federal customers may upload a custom logo and turn Duo branding on and off in Settings. Additional custom branding options for the Universal Prompt, like setting an accent color or background image for the prompt, and the ability to save draft customizations and pilot them with selected users, are not available in Duo's federal editions.
Duo's federal editions include the Azure Directory Sync feature as of October 2020. This permits importing users into Duo from Azure commercial and government tenants, but not from Azure GCC High tenants.
The Duo Authentication Proxy is an application you install on your network. It’s used for Active Directory and OpenLDAP sync of your users into Duo, and for RADIUS and LDAP two-factor authentication for your on-premises VPNs, services, and applications.
The Duo Authentication Proxy is FIPS-compliant when it is installed on a Windows or Linux system with FIPS enabled at the operating system level, and you enable the FIPS option in the Duo proxy configuration file. LDAPS is the only FIPS-compliant authentication method.
Duo Unix is FIPS-compliant when run on a Unix or Linux system with the operating system-wide FIPS mode enabled.
Duo for Windows Logon application v4.0.7 is the minimum supported version for federal edition customers. For the best results, we recommend installing the latest available version.
Duo for AD FS supports AD FS installed on Windows 2012 R2 and later, with version 18.104.22.168 or later of the Duo MFA adapter. You must enable TLS 1.2 for .NET Framework 4.5 by creating the following registry values on your AD FS server before installing Duo MFA:
HKLM\Software\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001 [HKLM\Software\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001
Ensure that you are using version 1.1.6 of the Duo Splunk Connector. Previous versions experience configuration issues against Duo Federal deployments.
Duo's federal edition customers may not use any of telephony features in Duo’s standard service. Duo removed telephony authenticators from our federal editions to provide alignment with NIST 800-63-3b AAL2 requirements by default, as NIST labels telephony authenticators as “RESTRICTED”. This restriction affects how federal administrators and end users get created or enrolled in Duo, and how they log in using Duo.
The Duo administrator password default requirement specifies at least twelve (12) characters. The minimum password length may be modified in the Admin Password Policy settings area of the global Settings page.
New passwords will be checked against common passwords, usernames, and other account information to ensure uniqueness. Federal editions do not provide the administrator password complexity options available in standard editions.
When creating a new Duo administrator, the only option for secondary authentication is to select a hardware token previously imported into Duo. Once you save the new administrator, you may also choose to activate Duo Push. If you do not choose one of these options, then the new administrator can’t log in.
Click Activate Duo Push and then click the Activate link to generate a QR code that the new admin can scan with Duo Mobile to activate the app for Duo Push. If the new admin isn’t with you to scan the QR code, click the Email this barcode to … link to send the code to them.
All Duo administrators access the Duo Admin Panel to configure their Duo service and users. When logging in to the Duo Admin Panel as a Duo federal edition customer, you’ll note some differences to the documented login process:
Use your unique customer admin URL to access the Duo Admin Panel, e.g. https://admin-abcd1234.duofederal.com. Do not use https://admin.duosecurity.com.
Duo's federal editions may not use telephony-related features. Duo administrators must authenticate using Duo Push on a smartphone with the Duo Mobile app, or with a passcode from a hardware token. A Duo admin without either of these secondary authenticators may not log into the Duo Admin Panel.
Duo's federal edition administrators must accept the login warning shown or be denied access.
Duo federal customers have the following Lockout and Fraud defaults:
Additionally, the default inactive user expiration is ninety (90) days.
The telephony restrictions in Duo's federal editions change the end-user device enrollment and authentication experience. Note that you can achieve similar restrictions via policy settings as a Duo standard edition customer, but in Duo's federal editions these restrictions may not be removed or reverted.
Users may not enroll or authenticate with the following device types and platforms:
Users may enroll and authenticate with:
The Duo enrollment and authentication interface hides the disallowed platforms and device types from end users.
|Federal Editions||Standard Editions|
Enrollment Device Options:No Landline Option
Enrollment Device Options:Has Landline Option
Enrollment of Existing Device:Cannot Enroll with an Existing Phone Device
Enrollment of Existing Device:Verify an Existing Phone Device During Enrollment
Enrollment Phone OS Options:iPhone and Android Only
Enrollment Phone OS Options:iPhone, Android, Windows Phone, or Other
Automatic Authentication Actions:No Automatic Call
Automatic Authentication Actions:May Choose Automatic Call
Authentication Factor Options:No Phone Call Option
Authentication Factor Options:Phone Call Option
Authentication with SMS Passcode:No option to send SMS Passcodes
Authentication with SMS Passcode:Option to send SMS Passcodes Present
With some Duo applications do not show the interactive Duo Prompt. These are typically applications that use RADIUS auto or LDAP authentication through the Duo Authentication Proxy or Duo for Microsoft Remote Desktop Gateway. Instead of allowing the end user to interactively choose which authentication method to use, these integrations perform an automatic push (if Duo Mobile was activated for the end user) or phone callback (if the user has an attached phone without Duo Mobile activation).
In Duo federal editions, these configurations will not perform an automatic phone call for authentication. If a user has a device activated for Duo Push, they receive an automatic push request. If the user has no device activated for Duo Push, then the login attempt fails.
In some auto push configurations the end user may append the name of a factor or a passcode generated by a hardware token, received via SMS, or generated by Duo Mobile.
In Duo federal editions, the “phone” and “sms” factor options do not work for authentication. Users may continue to append “push” to receive a Duo Push request to Duo Mobile, or append a passcode.
The Universal Prompt experience in Duo Federal plans is subject to the same limitations as the traditional Duo prompt experience, such as no telephony-based authentication options.
Fill out the contact form on the Duo Federal editions pricing page to get started with Duo today!