Multiple Deployments: Blank Duo Prompt During Remediation for Some Users
Incident Report for Duo Security
Postmortem

Authentication Issues

Incident Report - 2019/01/23

Summary:

From January 22, 2019 13:13 UTC to January 23, 2019 23:26 UTC, some authentications in which an out-of-date software warning was displayed to users resulted in a blank Duo Prompt that prevented authentication. Out-of-date blocking policies were unaffected. This issue only affected customers on the DUO33, DUO50, DUO56, and DUO58 deployments.

Specifically, this issue occurred when the warning popup was automatically shown after completing 2FA because of an out-of-date software warning policy. This popup would not automatically show if the software only recently became out-of-date or the user had recently clicked through from the out-of-date message at the bottom of the Duo Authentication Prompt.

All other authentications were unaffected. Duo’s Engineering team has identified and fixed this issue and has put in place automated and manual tests to ensure that this issue does not re-occur.

Screenshots

Users would normally have seen this:

Affected users saw this instead:

Background:

Duo regularly releases updates to the software that runs the Duo Service. On January 22, 2019 13:13 UTC a routine software update was rolled out as part of our normal release process. At 16:00 UTC on January 23, 2019, Duo’s Engineering team received a report that some users are being presented with a blank prompt.

On the software remediation card, the session is used to fetch out of date software. A code refactor resulted in clearing the user’s session before this fetch was performed. Because the user’s session contained no data the service was unable to display any information, resulting in the blank prompt appearing.

At 17:57 UTC, Duo’s Engineering identified the cause of the issue and completed development of a patch to resolve the issue.

At 19:08 UTC, Duo’s Engineering team deployed the patch to our testing environments and began acceptance testing.

At 22:46 UTC on January 23, 2019, Duo’s Engineering team began deploying a software update containing the patch to affected production deployments.

At 23:26 UTC, deployment was complete to all affected deployments and the issue was resolved.

Posted 27 days ago. Jan 24, 2019 - 12:28 EST

Resolved
Our Engineering Team successfully deployed a change to resolve the blank Duo Prompt display caused by some out-of-date software warnings. The prompt is now displaying correctly in all scenarios. From January 22, 2019 13:13 UTC to January 23, 2019 23:26 UTC, some authentications in which an out-of-date software warning was displayed to users resulted in a blank Duo Prompt that prevented authentication. A formal RCA will be posted momentarily.
Posted 27 days ago. Jan 24, 2019 - 12:11 EST
This incident affected: DUO33 (Core Authentication Service), DUO56 (Core Authentication Service), DUO58 (Core Authentication Service), and DUO50 (Core Authentication Service).