1

I need to start moving toward MFA for basically everything. It needs to be FIPS-compliant, support AD accounts, Windows 7 and 10, Linux, and VPN (and bonus points if there’s G Suite support), and works offline. My preference would be one solution to cover all of these so we don’t wind up in a confusing state of different multifactor providers for different things. For now I don’t have strong feelings on the authenticator, but something similar to the Google Authenticator app on a phone would be great (no text). There are a handful of users that don’t have a smartphone so some other physical device must be supported as well.

So far, the only option I’m aware of is Duo. Are there any others? I’m not against Duo at all, I’ve never used them (but I know they’re very popular for this), I’d just like to have a list of more than one, if there are more. I’d guess RSA may be one, but all I’ve heard about that one is it’s great if you love spending lots of money, which won’t work here.

7 Spice ups
2

We use DUO and it seems pretty good from what I’ve seen so far (only with the company a few months now). One nice feature is, almost like a MDM solution, it can show you devices that are unlocked, not up-to-date and even one that are jail-broken or rooted.

3

I would love to implement MFA, but don’t need it for certain Sales-floor domain accounts. I’m assuming something like Duo can be selectively enabled based on OU or such?

4

I would Direct you to look into Yubikey.com. it lines up with all of the requested, plus is widely deployed and supported by the google as well as the facebook and the amazon…

5

We use Cisco AnyConnect with the authenticator app. Not sure if there’s a Linux version though. Also pricing is Cisco, so there’s that also. It is a solid product though for the money.

6
7

If you want AD support with YubiKeys, I also encourage you to consider AuthLite. Yubico’s own free offering doesn’t really do enterprise, it’s mainly for a standalone user on a workstation. We do support secure offline logon to workstations too.

In addition to YubiKeys, AuthLite can use any time-based OATH-compliant token, including soft tokens like with Google Authenticator.

For G-suite, you’d have to route it through an ADFS instance on-premesis, and then we could 2-factorize that as well.

1 Spice up
8

Do you support Linux workstations as well?

9

Still wondering if anyone else has other solutions that would work. Linux support will probably be what limits it most.

@joshdunbar , I believe I’ve seen you discussing NIST 800-171 (which is what this is about), I’d be curious if you’ve tackled this yet.

1 Spice up
10

Bryan,

I am using Duo for our Linux workstations and servers. It works flawlessly and is relatively easy to configure. How many systems do you need to protect? Duo can get expensive in a hurry.

1 Spice up
11

We’re also using it to protect both Windows console and Remote Desktop logons and some of our networking equipment that has Duo support.

1 Spice up
12

I honestly don’t know yet. Aren’t they licensed by user? Or do they count machines as well?

Thanks - can’t say I’m surprised that’s what you’re using, seems like the most popular one.

13

Sounds like you’re in the same position as me then, so good to know at least something covers so many things.

1 Spice up
14

Duo does a really good job for us. Their documentation is good, too. If you have any questions, let me know. It’s all relatively fresh in my head still.

15

Like zupzuph mentioned above, they have different pricing models listed here: Pricing | Duo Security

I wouldn’t really be able to compare our model to any of those as we have an Edu account. It’s hard to say how much negotiation took place with our pricing, which I wasn’t and am not privy to.

@zuphzuph

16

Thanks. Out of curiosity since I’ve been asked several times, does it want you to MFA only at sign-in, or every time you unlock the screen? I’m not quite to the point I want to set up a trial yet but this and a few other big ones need to get budgeted soon.

17

You’re required to authenticate with Duo every time you sign-in or unlock the screen. Duo has a 10-user free license that you could use for testing, but its functionality is pretty limited.

18

That’s correct. You can also configure certain AD groups to participate in MFA (most do it this way) or put the user accounts in a Bypass group (exempts users from MFA) in the Duo Admin Panel.

19

Are you trying to secure one machine or an entire network to the 800-171 Rev 1 standard? Multifactor can become tricky when you have to protect all entry points. Fortunately for me, I was able to do that with Duo.

Feel free to contact me via DM, if you prefer.