Just curious as to what everyone's using for MFA in their environments. Duo? Microsoft Authenticator? Okta? A jumble of different solutions depending on which system needed to be covered at the time and with no additional budget?
this post was submitted on 10 Jun 2023
18 points (95.0% liked)
Sysadmin
5434 readers
1 users here now
A community dedicated to the profession of IT Systems Administration
founded 5 years ago
MODERATORS
Duo. After Cisco bought out Duo, however, they did not like our original contract. Now our CISO is saying for us to explore Microsoft. 65k+ staffed company.
The problem I've had with duo is that a user counts towards a license just by existing within your duo tenant (correct term?). Meaning that even if the user has no devices associated and cannot perform 2fa, they still have a cost.
I found it eye opening when they talked about Duo SSO (their own identity provider, think adfs). I may be wrong but my thoughts was "okay, but duo is cost restrictive to us, are you saying we need to onboard everyone just so they can get to internally federated applications?". Didn't feel great.
You look at their directory synchronization tool, it's the same thing, it will onboard users no problem, but you pay for those users the moment the account exists.
I have no problem saying everyone should have to perform mfa, but if you mfa all your ingress points and highly sensitive data, paying for everyone whom may not require or use it is a waste of money.
What we did was an opt in approach. You register on your own time via onpremise portal that uses their API to register the user and their device. If you don't do that and end up needing it externally, well too bad. In extreme scenarios we can admin register a user .
We went all in with MS for SSO because we were already paying for it with EM+S E3 licenses. All internal websites, external systems that allow SAML or OAuth2 integration.
Then, cyberinsurance asked for MFA for RDP. We added DUO for that, since there’s no way to get Azure MFA to work. We only give a DUO account to the less than 5% of employees that need it.
Big fan of Duo. It integrates easily with almost everything. The only limitation we’ve had is with the Microsoft Partner Portal — it requires their authenticator.
Micosoft Authenticator Configured so it reports application, shows a map with the location of the request origin, requires a two digit number to be typed.
Whole company is on an hybrid Azure AD so it's just the better choice in our situation because of that. We use Azure Apps to integrate it and Azure AD to manage permissions.
Using Duo, MS Auth and Google Auth. Duo is probably the best at the moment out of those three.
Currently Okta + Okta Verify. In a previous job where we were all-in on Microsoft, we used Authenticator but were starting to implement Duo because of it's wide reach and ease of setup. Like someone else said, Duo was able to do MFA for RDP at the time when Authenticator couldn't.
I use both. MS Auth for 365 and tons of web apps.
DUO for VPN, RDP, SSH, Cisco and other multi layer stuff that can use SSO.
Some things I use they are stacked and double MFA.
They use Okta where I'm at.
We are using Okta too, but I am not sure if I would recommend it at all.
It's not unusable but I am still not that happy with it.