Duo Security (MFA)

You can add Duo Security as a multifactor authentication (MFA) option in Okta. When enabled as a factor, Duo Security is the system of record for MFA and Okta delegates secondary verification of credentials to your Duo Security account.

If you have a Duo Security deployment with existing enrollments, make sure that your Duo Security usernames match the Okta usernames or email addresses of your Okta users. When an end user signs in to Okta or accesses an Okta-protected resource, Okta looks up the user in your Duo Security account according to the user’s Okta username or email address. You can change username mapping as described in this topic.

Users without an existing Duo Security enrollment can enroll themselves when they sign in to Okta, or through their Duo Security account page. Depending on your Okta integration settings in Duo Security, end users can enroll with a smartphone, tablet, telephone, Touch ID, and security keys.

Before you begin

In Duo Security, integrate your Duo Security account with Okta. Integration generates the following values:

  • An integration key
  • A secret key
  • An API hostname

Record these values and save them for when you add Duo Security as a factor.

Add Duo Security as a factor

  1. In the Admin Console, go to SecurityMultifactor.

  2. In Factor Types, click Duo Security.
  3. Click Edit beside Duo Security Settings.
  4. Enter the values that you generated in Duo Security when you integrated with Okta:
    • Integration key
    • Secret key
    • API Hostname
  5. Select a Duo Security Username Format:
    • Okta username
    • Email
  6. Click Save.
  7. Click Inactive in the upper right and select Activate.

End-user experience

The end-user experience depends on whether users are already enrolled in Duo Security before you configure it as a factor in Okta.

New Duo Security enrollments

  1. Users who sign in to Okta or access an Okta-protected app are guided to self-enroll in Duo Security.
  2. The user clicks Set up and is prompted to select the type of device they're adding. Here's the user experience for two commonly chosen device types:
    • Mobile phone: The user is prompted to enter their phone number and select a country and their device type (for example, Android or iOS). The user may also be prompted to receive a text or a phone call to verify their ownership of the phone number. Then the user is prompted to install Duo Mobile or indicate that it's already installed. Lastly, the user is prompted to activate their enrollment by scanning a QR code or clicking the option Email me an activation link instead.
    • Touch ID: The user follows onscreen prompts to enroll with Touch ID. During the flow the user is prompted to scan their fingerprint. Depending on the Okta app sign-on policy, the user may also be prompted to set up another a factor, such as Security Question.

    After choosing a device during self-enrollment, end users can add devices if the option Add a new device appears in Duo Mobile settings. To enable that option, the Duo admin must select the Self-service portal in the Duo Admin Panel.

Existing Duo Security enrollments

  1. Users see the Duo Security factor as a way to authenticate themselves when they sign in to Okta or access an Okta-protected app.
  2. The user selects the Duo Security option.
  3. During sign-in, the user may be prompted for additional verification depending on your app sign-on policy or settings in your Duo Security deployment. Users verify their identity by selecting an authentication type that their device supports.

End user settings in the Duo Mobile app

When enrolling in or authenticating with Duo Security, users can access the Settings menu in the Duo Mobile app for the following options:

Important considerations

  • Okta denies access to any end user (including Okta admins) whose Duo Security account is disabled or locked. Depending on your Okta app sign-on policy, these end users may not be able to sign in to Okta-protected resources using a different factor. Also, Okta Support can’t reset Duo Security devices for their users. Only a Duo Security administrator can reset the status of Duo Security accounts. As a best practice, make sure that you have multiple Duo Security administrators and that your Okta admins have multiple registered devices.
  • Resetting a factor in an end user’s Okta profile doesn’t reset their account in Duo Security. Likewise, if users remove Duo Security from Extra Verification in their End-User Settings page in Okta, the enrollment remains in Duo Security. In this case, to allow the end user to enroll in a different Duo Security authentication method, delete their enrollment in the Duo Security Admin Panel. Otherwise, the end user is prompted with the same method they were using before the factor was reset in or removed from Okta.
  • If the user is on a Windows device, the Touch ID option isn't available in the Duo Security app.
  • Duo Security with Push/SMS/Call isn't supported for Amazon Workspaces with RADIUS. Users must enter the one-time passcode from the Duo Security app and their primary password to authenticate.
  • MFA for RDP doesn't support the Duo factor.

Related topics

Duo documentation