Duo Security 2FA

servermonkey8064 · 2014-12-13T15:47:18.000Z

I’m considering low cost two-factor authentication options for our SSL VPN.

Duo Security is looking pretty damned unbeatable right now.

Is anyone using them who can offer some feedback on reliability and ease of use please?

Seems they do a free trial so it’s easy enough to find out but I’m more interested in long term experiences and how people cope in the real world where there aren’t always phone signals and where users aren’t perhaps all that technically aware (worst case I guess you buy tokens for the old schoolers?).

@Duo_Security

acatic · 2014-12-13T15:58:56.000Z

We use it. ~70 users. Super easy to set up and deploy. Tied to our Juniper firewall. We replaced our MS PhoneFactor with it. Cheaper and easier.

servermonkey8064 · 2014-12-13T17:11:48.000Z

Thanks, any surprises or issues at all?

Looks like an hour or so to setup a POC so probably easier doing it than asking but hey ho…

acatic · 2014-12-13T17:28:51.000Z

Not really…

It features a mobile app that’s worked with any of our BBs/iOS/Android. You can authenticate via phone/text/app PIN/app push.

We use it for Citrix, VPN, as well as soon to tie into our Office 365.

We’re on the Enterprise plan.

I remember it being a breeze. Any follow-up, post or PM me. Best!

mabeadnell · 2014-12-13T18:12:30.000Z

We use it for ssl vpn 2 factor authentication from Android/OS devices, easy to setup, works every time.

servermonkey8064 · 2014-12-13T18:15:34.000Z

How are you handling enrolment please? Quite like the look of self-enrolment.

My main concern is simply that we have people who travel so stuff like SMS or phone reception isn’t a given.

mabeadnell · 2014-12-13T18:32:45.000Z

When you add a user it sends off an email for that user to set themselves up basically. We use the Duo app, so a data link for the phone is necessary, as would SMS or a telephone call. Haven’t messed with the hardware tokens yet, as our users are almost always able to get phone reception where we are.

servermonkey8064 · 2014-12-13T18:45:51.000Z

Thanks - presumably when someone leaves it frees up a license, it isn’t tied to an individual?

Their website has tons of info on integrations but very little (that I can see) on the billing side of it which for us is always the tricky bit as we make life hard for ourselves.

kyle-hill · 2014-12-13T21:13:28.000Z

I use it too. Regarding cellular reception - it is my understanding that the DUO App Passcode (when you click little key next to integration instead of push/sms) is a TOTP based token and as such should work regardless of cellular reception, just like Google Authenticator. It does support HOTP and TOTP hardware tokens if you want to go Old-School.

The biggest gotcha I have run into is the fact that all user-accounts in Duo Security must be lower-case even if the Account in question has upper-case characters.

Text Messages/Phone Calls cost money. You are given 1000 Telephony Credits to Start and get a Certain Amount Each Month per user per plan. You can opt to send a text with 10 one time codes so that if a user is out of cellular reception they can still access Duo. You as the Admin can also create OTP codes for a user on the fly if needed.

Regarding billing - it is billed per user. The first 10 users are free, so if you have 70 users, you are only paying for 60 users. I am not 100% sure, but I think if you delete a user that Immediately frees up the User License so you can reuse it. Contact Duo Sales to make sure about that.

mabeadnell · 2014-12-13T21:23:30.000Z

Yes, it’s priced per user, not individually. So if you delete a user, it frees up a license,

karlharper3990 · 2014-12-14T11:51:11.000Z

We’ve used it with the Yubikeys as well as Push. They work really well and can be imported right into Duo really easily. It then gives me a choice of using Duo’s Push or to tap the Yubikey plugged into the USB port. Great if you’re somewhere without reception but have access to a USB port.

EDIT: You can use the Duo passcode as well instead of a Yubikey, but in environments where phones are banned, a Yubikey fits the bill very nicely.

The only thing that sucks with Duo for me is the fact that you have to buy in blocks of 10. I don’t see why you can’t just add one user per time; for small companies, this could potentially be off-putting and getting small businesses on board is just as important as large enterprises.

Put it this way…
If I have 10 users on Enterprise and want to increase it to 11 users, I have to pay for 20 users. Some may not think any of it but the finance director certainly cares.

Price-wise though, it is very, very reasonable aside the blocks of 10 situation.

servermonkey8064 · 2014-12-14T15:33:19.000Z

Thanks it’s useful to know the offline tools work well.

I need to try and work out how their billing works when I get the demo setup - seems with self-enrolment you’re basically stuck having to buy users up front even though those licenses may not get used for a while depending how quickly people need to enrol vs. running out of licenses as more people enrol than you’ve purchased licenses for, if that makes sense.

Can any of you think of any downside in terms of end user experience?

karlharper3990 · 2014-12-15T10:29:29.000Z

Sometimes, the Push notification doesn’t automatically appear so the user has to open the Duo app and swipe down to refresh, although now, they’ve improved it so that when the Duo app is open on screen, it’s always checking for Pushes and so automatically appear. Just occasionally doesn’t pop up when the app isn’t in the foreground. Happened on Android v 4.4.4 and version 5.0 Lollipop. Haven’t tested with iOS devices.

No biggie and it’ll probably come through anyway given a moment or so.

If you enrol Yubikeys, you need to make a note of each key’s Public ID, AES key and something else which is all presented to you when you configure each Yubikey, this is how you import the Yubikeys. It’s easy but just a forewarning in case you deploy a load of keys and then need to get them back in for reconfiguration in order to note it down and import into Duo later on. Keep those details very safe and perhaps destroy info after importing into Duo; Yubikeys are designed so you can’t read these values off the device once it’s been rewritten due to their secure element chips.

EDIT: not sure if you have to upload each key’s config to Yubicloud after you’re done as not sure if Duo checks the Yubicloud or whether just importing the 3 values for each key suffices.??!?

Can’t think of any other end user issues. Only thing I can anticipate with the Push is that users often like to just blindly allow things, so definitely worth traning them not to click Allow on any unsolicited Push notification (in case of account hijack attempt)

servermonkey8064 · 2014-12-15T15:38:34.000Z

Thanks, do they bill up front or after you add users and is it monthly or annual?

Not seeing it on the website and (for now) I don’t really want to do the whole “Contact Us” thing.

karlharper3990 · 2014-12-15T21:04:25.000Z

You’re welcome. I’m not sure how the billing side works, though.

mark-sandford · 2014-12-16T01:05:40.000Z

Hi hutchingsp,

We have support for Duo Push authentication in our password management software called Passwordstate - www.clickstudios.com.au .

Duo Security is a great platform, and used by many of our customers, so we can highly recommend it. Integrating their two-factor authentication with our software was a very simple process, and infinitely less painful than EMC’s SecurID

servermonkey8064 · 2014-12-17T18:01:20.000Z

Got this up and running in under an hour this morning, would have been less except I missed a step.

Does what it says basically.

I have a few minor queries which are with support:

If you register a phone but only register it for SMS you seem unable to add the Duo app - it looks like you need to remove and re-add the device choosing to add the app which also adds the phone for SMS.
In the admin portal you can view/edit names and email addresses of users but when using self-enrolment people aren’t prompted to enter these and there’s no way (I can see) for them to add/edit them after.
Can you tie multiple usernames to a duo login i.e. in Active Directory you can login using samAccountName or UPN name and Duo seems to treat these as two different users.

Absolutely blown away at how easy it was to get up and running though.

karlharper3990 · 2014-12-24T13:38:56.000Z

Thanks for sharing your experience! I’m interested to see what Support say about those tickets.
Have a great Christmas!
Cheers
Karl

servermonkey8064 · 2014-12-24T14:12:45.000Z

No problem Karl, they said:

They know and it’s expected behaviour but is with development
End users can’t edit this stuff yet
I wasn’t overly clear on their explanation, but the bottom line seemed to be “no”

With it being Christmas I have’t had chance to do too much with it and get people using it.

I’d certainly be interested to know of any alternatives that are similarly priced that have the self-service functionality.

servermonkey8064 · 2015-02-17T18:25:58.000Z

So back on this - is anyone using the $1/user edition - any catch?

It’s a much easier sell than $3/month but of course admin is time and time is money and I’m not sure how much overhead to expect with the lower cost option.