Duo Security (MFA)

You can add Duo Security as a multifactor authentication (MFA) option in Okta. When enabled as a factor, Duo Security is the system of record for MFA and Okta delegates secondary verification of credentials to your Duo Security account.

If you have a Duo Security deployment with existing enrollments, make sure that your Duo Security usernames match the Okta usernames or email addresses of your Okta users. When an end user signs in to Okta or accesses an Okta-protected resource, Okta looks up the user in your Duo Security account according to the user’s Okta username or email address. You can change username mapping as described in this topic.

End users without an existing Duo Security enrollment can self-enroll during sign in or through their Duo Security account page. Depending on your Okta integration settings in Duo Security, end users can enroll with a smartphone, tablet, telephone, Touch ID, and security keys.

Before you begin

In Duo Security, integrate your Duo Security account with Okta. Integration generates the following values which you’ll enter in the Okta Admin Console later:

  • An integration key

  • A secret key

  • An API hostname

Add Duo Security as a factor

  1. In the Admin Console, go to Security > Multifactor.

  2. In Factor Types, click Duo Security.

  3. In Settings, enter the values you generated in Duo Security when you integrated with Okta:

    • Integration key

    • Secret key

    • API Hostname

  4. Select a Duo Security Username Format:

    • Okta username

    • Email

    • SAM Account Name

  5. Click Save.

  6. Click Inactive in the upper right and select Activate.

End-user experience

The end-user experience depends on whether users are already enrolled in Duo Security before you configure it as a factor in Okta.

New Duo Security enrollments

  1. After you configure Duo Security as a factor in Okta, end users signing in to Okta or accessing an Okta-protected app are guided to self-enroll in Duo.
  2. The end user clicks Set up and is prompted to select the type of device they're adding. Here's the user experience for two commonly-chosen device types:
    • Mobile phone: The user is prompted to enter their phone number and select a country and their device type (for example, Android or iOS). The user may also be prompted to receive a text or a phone call to verify their ownership of the phone number. Then the user is prompted to install Duo Mobile or indicate that it's already installed. Lastly, the user is prompted to activate their enrollment by scanning a QR code or clicking the option Email me an activation link instead.
    • Touch ID: The user follows onscreen prompts to enroll with Touch ID. During the flow the user is prompted to scan their fingerprint. Depending on the Okta app sign-on policy, the user may also be prompted to set up another factor such as a security question.
    Note

    After choosing a device during self-enrollment, end users can add devices if the option Add a new device appears in Duo Mobile settings. To enable that option, the Duo admin must select the Self-service portal in the Duo Admin Panel.

Existing Duo Security enrollments

  1. After you configure Duo Security as a factor in Okta, an end user signing in to Okta or accessing an Okta-protected app sees an option to verify their identity using Duo Security as a factor.

  2. The end user selects the Duo Security option.

  3. During sign-in, the end user may be prompted for additional verification depending on your app sign-on policy or settings in your Duo Security deployment. End users verify their identity by selecting an authentication type that is supported by their device.

End user settings in the Duo Mobile app

When enrolling in or authenticating with Duo Security, end users can access the Settings menu in the Duo Mobile app for the following options:

Important considerations

  • Okta denies access to any end user (including Okta admins) whose Duo Security account is in a Disabled or Locked Out status. Depending on your Okta app sign-on policy, these end users may not be able to sign in to Okta-protected resources using a different factor. Also, Okta Support can’t reset Duo Security devices for their users. Only a Duo Security administrator can reset the status of Duo Security accounts. As a best practice, make sure that you have multiple Duo Security administrators and that your Okta admins have multiple registered devices.

  • Resetting a factor in an end user’s Okta profile doesn’t reset their account in Duo Security. Likewise, if users remove Duo Security from Extra Verification in their End-User Settings page in Okta, the enrollment remains in Duo Security. In this case, to allow the end user to enroll in a different Duo Security authentication method, delete their enrollment in the Duo Security Admin Panel. Otherwise, the end user continues to be prompted with the same method they were using before the factor was reset or removed in Okta.

  • If the user is on a Windows device, the Touch ID option is grayed out in the Duo Security app.

  • Duo Security with Push/SMS/Call is not supported for Amazon Workspaces with RADIUS. When an end user, enrolled in Okta with Duo Security MFA, attempts to access Amazon Workspaces configured with RADIUS, they must provide the six digit MFA passcode displayed on the Duo Security mobile app in addition to their primary password.