I’d like to see Bitwarden add support for the Duo Universal Prompt.
Here’s a link to how to do this: Duo Universal Prompt Update Guide | Duo Security
Feature name
- Duo Universal Prompt Update
Feature function
- What will this feature do differently? Updates the API from the now deprecated iframe v2 API to the new v4 API instead
- What benefits will this feature bring? Eliminates old API versions and iFrame usage.
Related topics + references
it need to be addressed, as the traditionnal prompt will be no longer supported on 30 march 2024.
Hi, is this something that is on the roadmap?
Duo is terminating support of the traditional Duo Prompt in March 2024.
BitWarden needs to support the Universal Prompt before then… could somebody from BitWarden please respond ?
The team is aware of this one and planning accordingly, thanks!
Hi,
Sorry if I’m being annoying here, but I find this answer quite vague…
Can’t you provide an ETA or version when this will be changed?
While I don’t have a specific ETA or version release number, Bitwarden releases every 5-6 weeks prior to March 2024 and the team will ensure that support is included with ample time prior to that date.
Any update on this? Our company might have to move away from bitwarden if this is not implemented snice DUO is terminating support for the traditional Duo prompt.
Any update in implementing v4?
As mentioned above, the team is aware and will ensure it is implemented.
Looks like there is a NodeJS package to replace the old Javascript for traditional prompt
This doesn’t allow us, as users, to switch BitWarden to the Universal Prompt, does it?
Were you posting it here to assist the BitWarden developers?
If you were able to upgrade the client with the new library, I think it would. But more for the BitWarden developers since the GitHub issues that I found were all closed and pointed to here.
The clock is ticking, and more time has passed - we are down to three months remaining.
From what I can tell, all links searching for this point to this page, and for self hosted enterprise users like myself we are stuck waiting.
“Ample time” is before month’s end. If you’re releasing every 5-6 weeks that’s one, maybe two releases depending on how things land to still have time to deploy without a mad rush.
@bw-admin is there an actual ETA yet?
I agree that this is becoming increasing time critical. I asked support last year and they said they were aware and that it was in the works, but thus far nothing. Please, Bitwarden, before the current integration breaks!
Hi folks, thanks for checking in on this. I can confirm our engineering team is actively working on adding support for the Duo Universal Prompt and we will complete the migration prior to the March 2024 deadline. Bitwarden will update this thread as once the update has been released.
I wonder if there are any updates on this?
We received an update from our institutional duo provider suggesting to reconfigure our Bitwarden account ahead of the deadline to use SAML SSO instead of direct duo integration. Obviously this is a possible path forward for us but I’m curious if it’s also a sensible option to just hold out another week or two for a native duo integration?
Do Duo users need to change anything in their account (Admin panel) to transition over, or is this squarely on Bitwarden’s end? I already have a device registered.
Looking at the info on it, it’s not immediately obvious to me why they are changing it. The interface is slightly different, but I fail to see how it’s easier to use. Seems more like a product marketing choice rather than a substantial change in functionality or security.
I am also wondering if there is a need to change anything in the admin panel.
Particularly in the Duo admin side of things, it seems like there might be a requirement for switching it over to use Universal Prompt.
This entire thing has not been handled greatly, it would have been nice if clarity to the situation was brought forward with the initial email notifying on-premise users of what was to come and what was needed on our end.
Duo making the change to Universal Prompt though? The use of iframe insertion is largely considered to be vulnerable to XSS. It makes perfect sense for an MFA company to not be seen using something that could be used for Clickjacking attacks
More info found here if interested: https://stackoverflow.com/questions/7289139/why-are-iframes-considered-dangerous-and-a-security-risk