Duo uses push notifications, time-based, one-time passwords, physical tokens and biometrics to verify the identity of users at login. Similarly, Microsoft Authenticator uses push notifications, one-time passcodes, and biometrics for authentication and can integrate with Microsoft 365 and Azure Active Directory. While both 2FA options share some similarities, there are still key differences that can sway your decision to choose one over the other.
Just curious as to what everyone’s using for MFA in their environments. Duo? Microsoft Authenticator? Okta? A jumble of different solutions depending on which system needed to be covered at the time and with no additional budget?
Duo. After Cisco bought out Duo, however, they did not like our original contract. Now our CISO is saying for us to explore Microsoft. 65k+ staffed company.
The problem I’ve had with duo is that a user counts towards a license just by existing within your duo tenant (correct term?). Meaning that even if the user has no devices associated and cannot perform 2fa, they still have a cost.
I found it eye opening when they talked about Duo SSO (their own identity provider, think adfs). I may be wrong but my thoughts was “okay, but duo is cost restrictive to us, are you saying we need to onboard everyone just so they can get to internally federated applications?”. Didn’t feel great.
You look at their directory synchronization tool, it’s the same thing, it will onboard users no problem, but you pay for those users the moment the account exists.
I have no problem saying everyone should have to perform mfa, but if you mfa all your ingress points and highly sensitive data, paying for everyone whom may not require or use it is a waste of money.
What we did was an opt in approach. You register on your own time via onpremise portal that uses their API to register the user and their device. If you don’t do that and end up needing it externally, well too bad. In extreme scenarios we can admin register a user .
We went all in with MS for SSO because we were already paying for it with EM+S E3 licenses. All internal websites, external systems that allow SAML or OAuth2 integration.
Then, cyberinsurance asked for MFA for RDP. We added DUO for that, since there’s no way to get Azure MFA to work. We only give a DUO account to the less than 5% of employees that need it.
Currently Okta + Okta Verify. In a previous job where we were all-in on Microsoft, we used Authenticator but were starting to implement Duo because of it’s wide reach and ease of setup. Like someone else said, Duo was able to do MFA for RDP at the time when Authenticator couldn’t.
Big fan of Duo. It integrates easily with almost everything. The only limitation we’ve had is with the Microsoft Partner Portal — it requires their authenticator.
Micosoft Authenticator Configured so it reports application, shows a map with the location of the request origin, requires a two digit number to be typed.
Whole company is on an hybrid Azure AD so it’s just the better choice in our situation because of that. We use Azure Apps to integrate it and Azure AD to manage permissions.
They use Okta where I’m at.
We are using Okta too, but I am not sure if I would recommend it at all.
It’s not unusable but I am still not that happy with it.