MFA, Duo Universal Prompt - 'Login Expired' Message

This page will assist users if they are receiving a 'Login Expired' message when attempting to authenticate with MFA via the Duo Universal Prompt.

Update:

Duo has rolled out an update that will fix the issue related to binding a client's IP address to their authenticated session. This caused issues for users interacting with Duo from Internet connections that frequently change their outbound IP address. More informaiton can be found in this Duo support article and the release notes pertaining to this updated version.

As such, the information included in this KB is mostly outdated, and the page will expire soon.


To mitigate session hijacking, Duo binds your IP address to the authenticated session. When you log in, your session will be tied to that initial IP address. If you happen to change IP addresses for some reason after initial authentication, you will be forced to re-authenticate.

For users whose public IPs change during the session, this security feature may also cause a "Login expired" error message in the Duo Universal Prompt.

If you are using a Mac with macOS Monterey (released Oct 2021) or newer or an iOS device with iOS 15 (released Sept 2021) or newer, please make sure that Apple's Private Relay feature is disabled. Private Relay prevents your original IP address from being passed to the sites you visit in Safari and in Apps. This feature is not compatible with Duo's security features and can cause the automatic logout issues described in this article. Information on this feature (and how to disable it) can be found in this Apple support article. Please note you may need to disable the feature in both the iCloud settings and your connection specific (Wi-Fi and/or cellular) settings.

This can also be triggered if your ISP is using carrier-grade NAT (CGNAT) also known as large-scale NAT (LSN). In certain applications of CGNAT, subscribers share a pool of public-facing IP addresses. If the user's public IP changes during authentication, it may trigger the 'Login Expired' message. If this is the case, please contact your ISP to see if it is possible to get a static IP address.

Users connecting via cellular data may experience this as well - IP addresses may change each time a device reconnects to the network.

More information can be found in this Duo article.




Keywords:duo universal prompt mfa 2fa multi two factor authentication login session expired apple private relay iphone ios   Doc ID:121785
Owner:ID M.Group:University of Illinois Technology Services
Created:2022-10-10 12:58 CSTUpdated:2022-10-31 00:09 CST
Sites:University of Illinois Technology Services
Feedback:  0   0