Alternate authentication apps

I have tentative approval to move ahead with Duo for 2FA on Linux instead of Okta ASA. I can’t say I am unhappy with that…

So I have a couple of questions. These are not show stoppers but may help to ease the adoption.

  1. Can duo push use other authenticatiors such as google? Several of the admins already use google authenticator with Okta and it would be convenient for them.

  2. Can duo use TOTP tokens? The token I use for Okta imported and I applied it to a test user but, so far, I’ve had no luck logging in with it.

Hi @linixhitman, it makes me happy to read that you’re tentatively moving forward with Duo! And that you’re not unhappy about it :slight_smile:

To answer your questions:

No, while I understand this would be convenient, Duo Push is only available with the use of Duo Mobile, and Duo in general will not work with other mobile authenticator apps.

Yes, Duo does support the use of TOTP tokens. However, we recommend using HOTP tokens instead, because TOTP token drift and resynchronization are not supported. As a result, imported TOTP tokens may not work for authentication with Duo Security, or may fail to work for authentication after a variable period of time. More resources and information to help you with this can be found in the article I linked previously.

Please let me know if there is anything else we can help you with!

Well, don’t get too excited over us using Duo. There will be maybe 10 to 20 users so, even at the highest level of suppport, you would be seeing around $2K a year. Practically a rounding error for Cisco. :slight_smile:

No, while I understand this would be convenient, Duo Push is only available with the use of Duo Mobile, and Duo in general will not work with other mobile authenticator apps.

Fair enough. I only need 2FA on the jump hosts and the inconveience is, IMO, minimal

Yes, Duo does support the use of TOTP tokens. However, we recommend using HOTP tokens instead, because TOTP token drift and resynchronization are not supported.

Unlikely the company will invest in another set of tokens – we get enough grief from users over the current ones. However, if they are not too expensive I will get an HOTP token for my own use. Any particular ones that work well with your tool?

Haha, this will sound cheesy, but every customer is important to me (even Duo Free!) and I’m sure many people at Duo would agree with me on that. I’m just glad to see you’ve found a solution you like.

As for which tokens to use, Duo supports the use of any OATH HOTP-compatible tokens. I’m certainly not an expert in this particular area, but the tokens most of us at Duo use and would recommend are Yubikeys. We recommend generating passcodes in AES mode if possible because the token won’t go out of sync. You can take a look at our documentation on how to configure Yubikeys for OTP use with Duo. We also offer Duo D100 tokens, which you can purchase through your account rep or directly through the Duo Admin Panel. I think these can only be purchased in increments of 10 though, so probably not the best if you’re looking to get a single token for yourself.