Duo Security for MFA
You can configure Duo Security as a multifactor authentication (MFA) option. When enabled as a factor, Duo is the system of record for MFA, and Okta delegates secondary verification of credentials to your Duo Security account.
Okta denies access to any user including Okta administrators that have a valid Duo user account and the user has a status of Disabled or Locked Out. Users cannot sign in with a different MFA factor when their Duo account has a Disabled or Locked Out status. Okta Technical Support cannot reset Duo devices for your Okta administrators or any Duo users. This must be performed by a Duo administrator. Make sure that you have multiple Duo administrators and your Okta administrators have multiple devices registered.
Okta looks up users in your Duo account by using the Okta username or email address of the user signing into Okta. If you have a Duo deployment with existing enrollments, make sure that your Duo usernames match the Okta usernames or email addresses of your Okta users. You can change username mapping from Okta username (default) to email address by signing into your Okta Administrator Dashboard, selecting Security > Multifactor > Duo, and changing the Duo Username Format setting.
Okta supports self enrollment with Duo for new Duo users during sign in. New users can also enroll on their Duo account page. Depending on your Okta integration settings in Duo, users can enroll with a smartphone, tablet, or telephone. Duo currently limits this functionality to first-time enrollments. After first-time enrollment, users must contact their Duo administrator to add more devices. If an existing Duo user matches a user in Okta, self enrollment is disabled.
Before You Begin
Before you configure Duo as an MFA option, you must have a Duo account and configure Okta as an integration. Duo users must install the Duo mobile app on their selected devices. Refer to your Duo Security documentation for more information.
To integrate Duo with Okta, you must have the following information from your Duo account:
- Your integration key
- Your secret key
- Your API hostname
To obtain this information, sign into your Duo Security account and add a new Okta Integration
To configure Duo Security for MFA:
- From your Okta Administrator Dashboard, select Security > Multifactor, and then choose Duo Security.
- On the Duo Security Settings page, enter your integration key, secret key, and API hostname.
- Select your Duo Username Format.
- Click Save.
After you set Duo Security as a factor in Okta, your end users are prompted to configure Duo and set up their devices during sign in if they don't already have a valid Duo registration. Users go through the following steps:
Sign into Okta and receive a prompt to configure extra security. Select the Configure Factor button for Duo Security.
The setup wizard is launched. Users must click the Start Setup button to continue.
Users select a device (for example, mobile phone) and click the Continue button.
Optionally, click the Enroll another device button or click the Done button when you are finished adding devices.
Note: You will not be able to configure additional devices after you complete the setup wizard. Contact your Duo admin to help you if you later discover that you want to configure additional devices.
Users that have already enrolled with Duo are prompted for additional verification during sign in. Users can select the authentication type that is supported by their device to verify their identity.
Using A Security Device
You can use a Yubikey security device for Duo verification. Choose Verify with Duo Security device. Press the button on the device and then select Verify, as shown below.
End User Device Management
Once you have enrolled one or more devices, you can subsequently edit those devices, or enroll a new device.
Note that the option to edit Duo settings is hidden by default. This feature must be enabled manually for it to appear in the Extra Verification settings.
- From your Home page, select your user name in the upper right, then select Settings from the dropdown menu.
- Scroll down to the Extra Verification section, then click Edit.
- Click Manage Devices to edit or enroll a new device.
- A Duo login will be pushed to your device. Login.
- To enroll a new device, select Enroll a new device, then continue with the enrollment as described in End User Self-Enrollment, above.
- To edit an existing device, select Actions, then select one of the following edit actions:
- Change Device Name...
- Remove Device
- Set as Default
- Once you have completed your edit action, click Done.
The following are known issues with the Duo Security integration. We will update this information as these issues are resolved.
- If users miss a text or phone call, they must refresh the page and have a new text or phone call sent to them. This issue will be fixed before this feature becomes generally available.
- If a user starts the self-enrollment process but doesn't complete the process or refreshes the page, they will be unable to enroll via Okta and must be enrolled by an administrator using the Duo Administrator Dashboard. This is a limitation of the Duo API.
DUO MFA with Push/SMS/Call is not supported for Amazon Workspaces or RADIUS applications in general. When an end user, enrolled in Okta with DUO MFA, attempts to access Amazon Workspaces configured with RADIUS or any other RADIUS application, they must provide the six digit MFA passcode displayed on the DUO mobile app in addition to their primary password.