Multiple deployments - Authentication Failures for some Duo protected applications
Incident Report for Duo
Postmortem

Summary

On August 4, 2021, Duo’s Engineering Team was made aware of an issue with the Duo authentication prompt that prevented it from being displayed properly in certain web browsers or applications that embed those web browsers. This resulted in affected users being unable to successfully authenticate with Duo.

The issue has been resolved by a code change deployed to all affected customers.

Details

The issue was caused by a bug introduced in Duo’s early August D221 release which was deployed to customers starting on July 29, 2021. This release included enhancements to the Duo Prompt that were incompatible with the following web browsers or applications that embed them:

  • Firefox 60 - 78.6 (released mid 2018 through late 2020)
  • Internet Explorer in compatibility mode

The bug affected the deployments DUO3, DUO4, DUO5, DUO6, DUO7, DUO10, DUO13, DUO14, DUO19, DUO20, DUO21, DUO23, DUO24, DUO26, DUO28, DUO31, DUO33, DUO37, DUO38, DUO39, DUO42, DUO43, DUO44, DUO45, DUO46, DUO47, DUO48, DUO50, DUO51, DUO52, DUO55, DUO56, DUO57, DUO58, DUO62, DUO63, DUO64, and DUO66.

It did not affect all customers because, after the issue was reported, the release was paused while a solution was identified.

A fix for the issue, which added support for the browsers that were previously unable to display the Duo Prompt, was added to the release and redeployed to affected customers. This was finished by 9:00 pm EDT on August 5. Duo’s Engineering Team has enhanced automated test coverage in this area to prevent similar issues in the future.

Note: You can find your Duo deployment’s ID and sign up for updates via the StatusPage by following the instructions in this knowledge base article.

Posted Aug 06, 2021 - 16:11 EDT

Resolved
The issue regarding authentication problems for applications using embedded browsers is fully resolved and all services are now fully functional.

We will be posting a root-cause analysis (RCA) here once our engineering team has finished its thorough investigation of the issue.

Please make sure to check back or subscribe to be notified when the RCA is posted.
Posted Aug 05, 2021 - 23:33 EDT
Monitoring
We have identified the issue causing authentication problems for applications using embedded browsers and deployed a fix to all affected customers.
We will continue to monitor the situation and update this incident once we have confirmed the issue is fully resolved.
Posted Aug 05, 2021 - 20:59 EDT
Identified
We have identified the cause of issue causing authentications to fail in embedded browsers across multiple operating systems. We are actively working to restore functionality.

Please check back here or subscribe to updates for any changes.
Posted Aug 05, 2021 - 00:08 EDT
Investigating
Duo is currently investigating an issue causing authentication failures, affecting VPN clients and other Duo-protected applications using embedded browsers across multiple operating systems. The current workaround for customers seeing this behavior on Windows is to ensure compatibility mode is turned off; here is some guidance on how this can be done - https://help.duo.com/s/article/2174?language=en_US. We are actively working to remediate the issue - please be sure to check back here or subscribe to updates for any changes.
Posted Aug 04, 2021 - 13:22 EDT
This incident affected: DUO44 (Core Authentication Service), DUO37 (Core Authentication Service), DUO3 (Core Authentication Service), DUO42 (Core Authentication Service), DUO33 (Core Authentication Service), DUO52 (Core Authentication Service), DUO39 (Core Authentication Service), DUO45 (Core Authentication Service), DUO20 (Core Authentication Service), DUO19 (Core Authentication Service), DUO10 (Core Authentication Service), DUO5 (Core Authentication Service), DUO43 (Core Authentication Service), DUO7 (Core Authentication Service), DUO28 (Core Authentication Service), DUO4 (Core Authentication Service), DUO21 (Core Authentication Service), DUO47 (Core Authentication Service), DUO31 (Core Authentication Service), DUO46 (Core Authentication Service), DUO48 (Core Authentication Service), DUO26 (Core Authentication Service), DUO55 (Core Authentication Service), DUO50 (Core Authentication Service), DUO58 (Core Authentication Service), DUO63 (Core Authentication Service), DUO23 (Core Authentication Service), DUO24 (Core Authentication Service), DUO38 (Core Authentication Service), DUO13 (Core Authentication Service), DUO64 (Core Authentication Service), DUO14 (Core Authentication Service), DUO57 (Core Authentication Service), DUO56 (Core Authentication Service), DUO62 (Core Authentication Service), DUO51 (Core Authentication Service), DUO66 (Core Authentication Service), and DUO6 (Core Authentication Service).