Configure the Duo Security authenticator
The Duo Security authenticator allows users to authenticate with the Cisco Duo app when they sign in to Okta.
When enabled as an authenticator, Duo Security is the system of record for multifactor authentication (MFA) and Okta delegates secondary verification of credentials to your enterprise Duo Security account. MFA for Remote Desktop Protocol (RDP) doesn't support the Duo Security authenticator.
This authenticator is a possession factor, fulfills the requirements for user presence, and is device-bound. See Multifactor authentication.
Before you begin
- If you have existing Duo Security enrollments, verify that your Duo Security usernames and email addresses match the format of those used in Okta before. Okta uses the Okta username or email address to look up users in your Duo Security account. You can select a username format when you configure this authenticator.
- In Duo Security, integrate your Duo Security account with Okta. Record the integration key, the secret key, and the API hostname and enter them in Okta when you configure the Duo Security authenticator.
- Enable other authenticators and allow them in your global session policies. This ensures that your users have alternative security methods available to them. Okta denies access to any user (including Okta admins) whose Duo Security account is disabled or locked.
- Add multiple Duo Security administrators and require your other admins to have enrolled multiple devices in Duo Security. Okta Support can't reset Duo Security devices for their users. Only a Duo Security administrator can reset the status of Duo Security accounts.
Enable the second-generation Sign-In Widget (third generation isn’t supported).
Add the Duo Security authenticator
In the Admin Console, go to .
On the Setup tab, click Add Authenticator.
Click Add on the authenticator tile.
Configure the following options:
Settings Enter the values that you generated in Duo Security when you integrated it with Okta:
- Integration key
- Secret key
- API hostname
Duo Security username format Select a format for the username. Your Duo Security usernames must match the Okta usernames or email addresses of your Okta users:
- Okta username
- SAM Account Name
Click Add. The authenticator appears in the list on the Setup tab.
Add the Duo Security authenticator to the authenticator enrollment policy
In the Admin Console, go to .
- Click the Enrollment tab.
- Add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.
Edit or delete the Duo Security authenticator
Before you edit or delete the authenticator, you may have to update existing policies that use this authenticator.
- In Authenticators, go to the Setup tab.
- Open the Actions dropdown menu beside the authenticator, and then select Edit or Delete.
The user experience depends on whether users are already enrolled in Duo Security before you configure it as an authenticator in Okta.
New Duo Security enrollments
- After you’ve added this authenticator to Okta and included it in an authenticator enrollment policy, users are prompted to enroll in Duo Security.
- Users click Set up and select the type of device they want to add. They can enroll a smartphone, a tablet, a biometric method on their device, and security keys.
- The setup experience is different for each device type. Prompts guide users through the setup process.
- Users can add more devices if you enabled that option in Duo Security. The Duo Security administrator must select the Self-service portal option in the Duo Security Admin Panel. See Duo Security documentation.
Existing Duo Security enrollments
- After you add this authenticator and include it in an authenticator enrollment policy, users can select Duo Security as a security method when they sign in to Okta or access an Okta-protected app.
- When users select Duo Security as their security method, they may be prompted for additional verification, depending on how Duo Security is deployed in your environment, or how you configured your authentication policies.
End-user settings in the Cisco Duo app
When a user resets or removes Duo Security, you must delete the enrollment in the Duo Security Admin Panel before they attempt to re-enroll.
If the user uses a Windows computer, the TouchID option isn't available in the Cisco Duo app on the user’s iOS device.
Users can access the Settings menu in the Cisco Duo app and select the following options: