Configure the Duo Security authenticator

The Duo Security authenticator allows users to authenticate with the Cisco Duo app when they sign in to Okta.

When you enable the Duo Security authenticator, Duo Security becomes the system of record for multifactor authentication (MFA). Okta delegates secondary credential verification to your enterprise Duo Security account. MFA for Remote Desktop Protocol (RDP) doesn't support the Duo Security authenticator.

This authenticator is a possession factor, fulfills the requirements for user presence, and is device-bound. See Multifactor authentication.

This authenticator interacts with Duo Security using Duo Traditional Prompt. To use Duo Universal Prompt, create a Duo identity provider (IdP) and then link the Okta IdP authenticator to the Duo IdP. See Duo Custom IdP Authenticator in Okta Identity Engine and Configure the IdP authenticator.

Before you begin

  • If you have existing Duo Security enrollments, verify that your Duo Security usernames and email addresses match the format of those used in Okta before. Okta uses the Okta username or email address to look up users in your Duo Security account. You can select a username format when you configure this authenticator.
  • In Duo Security, integrate your Duo Security account with Okta. Record the integration key, the secret key, and the API hostname and enter them in Okta when you configure the Duo Security authenticator.
  • Enable other authenticators and allow them in your global session policies. This ensures that your users have alternative security methods available to them. Okta denies access to any user (including Okta admins) whose Duo Security account is disabled or locked.
  • Add multiple Duo Security administrators and require your other admins to have enrolled multiple devices in Duo Security. Okta Support can't reset Duo Security devices for their users. Only a Duo Security administrator can reset the status of Duo Security accounts.

  • Enable the Sign-In Widget (second generation). The third generation isn't supported.

Add this authenticator

  1. In the Admin Console, go to SecurityAuthenticators.

  2. On the Setup tab, click Add Authenticator.

  3. Click Add on the authenticator tile.

Configuration options

  1. Configure the following options:

    Field

    Value
    Settings Enter the values that you generated in Duo Security when you integrated it with Okta:
    • Integration key
    • Secret key
    • API hostname
    Duo Security username format Select a format for the username. Your Duo Security usernames must match the Okta usernames or email addresses of your Okta users:
    • Okta username
    • Email
    • SAM Account Name

  2. Click Add. The authenticator appears in the list on the Setup tab.

Add this authenticator to the authenticator enrollment policy

  1. In the Admin Console, go to SecurityAuthenticators.

  2. Click the Enrollment tab.
  3. Add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.

Edit or delete this authenticator

Before you edit or delete the authenticator, you may have to update existing policies that use this authenticator.

  1. In Authenticators, go to the Setup tab.
  2. Open the Actions dropdown menu beside the authenticator, and then select Edit or Delete.

End-user experience

The user experience depends on whether users are already enrolled in Duo Security before you configure it as an authenticator in Okta.

New Duo Security enrollments

  1. After you've added this authenticator to Okta and included it in an authenticator enrollment policy, users are prompted to enroll in Duo Security.
  2. Users click Set up and select the type of device they want to add. They can enroll a smartphone, a tablet, a biometric method on their device, and security keys.
  3. The setup experience is different for each device type. Prompts guide users through the setup process.
  4. Users can add more devices if you enabled that option in Duo Security. The Duo Security administrator must select the Self-service portal option in the Duo Security Admin Panel. See Duo Security documentation.

Existing Duo Security enrollments

  1. Users can select Duo Security as a security method when they sign in to Okta or access an Okta-protected app.
  2. When users select Duo Security as their security method, they may be prompted for additional verification. This depends on how you've deployed Duo Security in your environment, or how you've configured your authentication policies.

End-user settings in the Cisco Duo app

When a user resets or removes Duo Security, you must delete the enrollment in the Duo Security Admin Panel before they attempt to re-enroll.

If the user uses a Windows computer, the TouchID option isn't available in the Cisco Duo app on the user's iOS device.

Users can access the Settings menu in the Cisco Duo app and select the following options: