Duo Security incident

Password Reset Failure for Duo SSO Logins using Active Directory

Minor Resolved View vendor source →

Duo Security experienced a minor incident on May 19, 2025 affecting SSO and SSO and 1 more component, lasting 1h 43m. The incident has been resolved; the full update timeline is below.

Started
May 19, 2025, 11:20 PM UTC
Resolved
May 20, 2025, 01:04 AM UTC
Duration
1h 43m
Detected by Pingoru
May 19, 2025, 11:20 PM UTC

Affected components

SSOSSOSSOSSOSSOSSOSSOSSOSSOSSO

Update timeline

  1. investigating May 19, 2025, 11:20 PM UTC

    We are currently investigating an issue causing password reset failures for Duo SSO logins using Active Directory as an authentication source.

  2. identified May 19, 2025, 11:46 PM UTC

    We have identified the issue and a fix is being deployed.

  3. monitoring May 20, 2025, 12:12 AM UTC

    We have implemented a fix and we are monitoring the results.

  4. resolved May 20, 2025, 01:04 AM UTC

    We can confirm that the issue with the Password reset for Duo SSO logins using Active Directory has been resolved. Please check back here or subscribe for updates on the RCA as soon as it becomes available.

  5. postmortem May 21, 2025, 03:56 PM UTC

    ## Summary On May 19, 2025, around 19:00 ET, Duo received reports of users who were unable to reset their Active Directory \(AD\) passwords through Duo SSO. This impacted all users who were attempting to reset an expired AD password. Functionality was restored to all deployments at 20:46 ET. ## Timeline of Events 12:53 ET: A planned update to SSO services is rolled out. 19:05 ET: Duo engineering is alerted of multiple customers who are unable to reset expired passwords for AD 19:26 ET: Duo begins deploying a fix for the expired password reset issue 19:57 ET: Duo receives confirmation that some customers are seeing restored service, fix continues to be rolled out for additional deployments 20:46 ET: Fix is rolled out to all deployments and service is restored ## Details An update was released that introduced a code change to our logic for determining whether or not to direct users to reset their expired AD password. This code change contained a bug which resulted in authentications being mistaken as invalid instead of requiring a password change. During the duration of this issue, 526 customers were identified as having one or more users who were blocked from resetting their password. ### In addition to fixing the bug that caused this issue: * Engineering is planning to increase our observability on this specific type of issue to improve our response time in the future. * Engineering is planning to improve our automated testing for this password reset flow.