Configuring Duo Security
You can configure Duo Security as a multifactor authentication (MFA) option. When enabled as a factor, Duo is the system of record for MFA, and Okta delegates secondary verification of credentials to your Duo Security account.
Okta denies access to any user including Okta administrators that have a valid Duo user account and the user has a status of Disabled or Locked Out. Users cannot sign in with a different MFA factor when their Duo account has a Disabled or Locked Out status. Okta Technical Support cannot reset Duo devices for your Okta administrators or any Duo users. This must be performed by a Duo administrator. Make sure that you have multiple Duo administrators and your Okta administrators have multiple devices registered.
Okta looks up users in your Duo account by using the Okta username or email address of the user signing into Okta. If you have a Duo deployment with existing enrollments, make sure that your Duo usernames match the Okta usernames or email addresses of your Okta users. You can change username mapping from Okta username (default) to email address by signing into your Okta Administrator Dashboard, selecting Security > Multifactor > Duo, and changing the Duo Username Format setting.
Okta supports self enrollment with Duo for new Duo users during sign in. New users can also enroll on their Duo account page. Depending on your Okta integration settings in Duo, users can enroll with a smartphone, tablet, or telephone. Duo currently limits this functionality to first-time enrollments. After first-time enrollment, users must contact their Duo administrator to add more devices. If an existing Duo user matches a user in Okta, self enrollment is disabled.
Before You Begin
Before you configure Duo as an MFA option, you must have a Duo account and configure Okta as an integration. Duo users must install the Duo mobile app on their selected devices. Refer to your Duo Security documentation for more information.
To integrate Duo with Okta, you must have the following information from your Duo account:
To obtain this information, sign into your Duo Security account and add a new Okta Integration
To configure Duo, do the following:
After you set Duo Security as a factor in Okta, your end users are prompted to configure Duo and set up their devices during sign in if they don't already have a valid Duo registration. Users go through the following steps:
Sign into Okta and receive a prompt to configure extra security. Select the Configure Factor button for Duo Security.
The setup wizard is launched. Users must click the Start Setup button to continue.
Users select a device (for example, mobile phone) and click the Continue button.
Optionally, click the Enroll another device button or click the Done button when you are finished adding devices.
Note: You will not be able to configure additional devices after you complete the setup wizard. Contact your Duo admin to help you if you later discover that you want to configure additional devices.
Users that have already enrolled with Duo are prompted for additional verification during sign in. Users can select the authentication type that is supported by their device to verify their identity.
Using A Security Device
You can use a Yubikey security device for Duo verification. Choose Verify with Duo Security device. Press the button on the device and then select Verify, as shown below.
End User Device Management
Once you have enrolled one or more devices, you can subsequently edit those devices, or enroll a new device, as follows:
The following are known issues with the Duo Security integration. We will update this information as these issues are resolved.