Well, don’t get too excited over us using Duo. There will be maybe 10 to 20 users so, even at the highest level of suppport, you would be seeing around $2K a year. Practically a rounding error for Cisco.

No, while I understand this would be convenient, Duo Push is only available with the use of Duo Mobile, and Duo in general will not work with other mobile authenticator apps.

Fair enough. I only need 2FA on the jump hosts and the inconveience is, IMO, minimal

Yes, Duo does support the use of TOTP tokens. However, we recommend using HOTP tokens instead, because TOTP token drift and resynchronization are not supported.

Unlikely the company will invest in another set of tokens – we get enough grief from users over the current ones. However, if they are not too expensive I will get an HOTP token for my own use. Any particular ones that work well with your tool?

Haha, this will sound cheesy, but every customer is important to me (even Duo Free!) and I’m sure many people at Duo would agree with me on that. I’m just glad to see you’ve found a solution you like.

As for which tokens to use, Duo supports the use of any OATH HOTP-compatible tokens. I’m certainly not an expert in this particular area, but the tokens most of us at Duo use and would recommend are Yubikeys. We recommend generating passcodes in AES mode if possible because the token won’t go out of sync. You can take a look at our documentation on how to configure Yubikeys for OTP use with Duo. We also offer Duo D100 tokens, which you can purchase through your account rep or directly through the Duo Admin Panel. I think these can only be purchased in increments of 10 though, so probably not the best if you’re looking to get a single token for yourself.