Configure the Duo Security authenticator

The Duo Security authenticator allows users to authenticate with the Cisco Duo app when they sign in to Okta.

When enabled as an authenticator, Duo Security is the system of record for multifactor authentication (MFA) and Okta delegates secondary verification of credentials to your enterprise Duo Security account. MFA for Remote Desktop Protocol (RDP) doesn't support the Duo Security authenticator.

This authenticator is a possession factor, fulfills the requirements for user presence, and is device-bound. See Multifactor authentication.

Before you begin

• If you have existing Duo Security enrollments, verify that your Duo Security usernames and email addresses match the format of those used in Okta before. Okta uses the Okta username or email address to look up users in your Duo Security account. You can select a username format when you configure this authenticator.
• In Duo Security, integrate your Duo Security account with Okta. Record the integration key, the secret key, and the API hostname and enter them in Okta when you configure the Duo Security authenticator.
• Enable other authenticators and allow them in your global session policies. This ensures that your users have alternative security methods available to them. Okta denies access to any user (including Okta admins) whose Duo Security account is disabled or locked.
• Add multiple Duo Security administrators and require your other admins to have enrolled multiple devices in Duo Security. Okta Support can't reset Duo Security devices for their users. Only a Duo Security administrator can reset the status of Duo Security accounts.

• Enable the second-generation Sign-In Widget (third generation isn’t supported).

Add the Duo Security authenticator

1. In the Admin Console, go to SecurityAuthenticators.

2. On the Setup tab, click Add Authenticator.

3. Click Add on the authenticator tile.

Configuration options

1. Configure the following options:

   Field	Value
   Settings	Enter the values that you generated in Duo Security when you integrated it with Okta: Integration key Secret key API hostname
   Duo Security username format	Select a format for the username. Your Duo Security usernames must match the Okta usernames or email addresses of your Okta users: Okta username Email SAM Account Name

2. Click Add. The authenticator appears in the list on the Setup tab.

Add the Duo Security authenticator to the authenticator enrollment policy

1. In the Admin Console, go to SecurityAuthenticators.

2. Click the Enrollment tab.
3. Add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.

Edit or delete the Duo Security authenticator

Before you edit or delete the authenticator, you may have to update existing policies that use this authenticator.

1. In Authenticators, go to the Setup tab.
2. Open the Actions dropdown menu beside the authenticator, and then select Edit or Delete.

End-user experience

The user experience depends on whether users are already enrolled in Duo Security before you configure it as an authenticator in Okta.

New Duo Security enrollments

1. After you’ve added this authenticator to Okta and included it in an authenticator enrollment policy, users are prompted to enroll in Duo Security.
2. Users click Set up and select the type of device they want to add. They can enroll a smartphone, a tablet, a biometric method on their device, and security keys.
3. The setup experience is different for each device type. Prompts guide users through the setup process.
4. Users can add more devices if you enabled that option in Duo Security. The Duo Security administrator must select the Self-service portal option in the Duo Security Admin Panel. See Duo Security documentation.

Existing Duo Security enrollments

1. After you add this authenticator and include it in an authenticator enrollment policy, users can select Duo Security as a security method when they sign in to Okta or access an Okta-protected app.
2. When users select Duo Security as their security method, they may be prompted for additional verification, depending on how Duo Security is deployed in your environment, or how you configured your authentication policies.

End-user settings in the Cisco Duo app

When a user resets or removes Duo Security, you must delete the enrollment in the Duo Security Admin Panel before they attempt to re-enroll.

If the user uses a Windows computer, the TouchID option isn't available in the Cisco Duo app on the user’s iOS device.

Users can access the Settings menu in the Cisco Duo app and select the following options:

• Manage Settings & Devices: See Duo Security documentation.
• Add a new device: This item appears if the Duo Security administrator selected the Self-service portal option in the Duo Security Admin Panel. See Duo Security documentation.