Bypass (or option to "skip enrollment") for partially enrolled users?

We are in the inital stages of our deployment and struggling with how to allow users to “opt-in” to Duo without interrupting their critical work (at least without coordination).

We are utilizing Directory Sync, and a group to control who is eligible for Duo at any point in time, so we have the “should be using Duo” and “not required to use Duo” part of the problem figured out. Fully enrolled users are (as we are seeking), prompted for Duo as expected, and denied access if they are unable to complete the authentication.

Where we are getting stuck is for users that have opted-in (or been opted-in because of their role), but have not yet enrolled. Our preference would be to nag them to enroll, but allow them to continue without MFA for at least some period of time.

The self-enrollment does not appear to offer any “skip for now” option, so we were pursuing a New User policy involving “Allow unenrolled users to pass through without two-factor authentication.”

However, if we pair that with Authentication policy of “Require two-factor authentication or enrollment when applicable…” synced by unenrolled users forced to enroll, and if we use the “Skip two-factor authentication or enrollment when applicable…” policy, no users are prompted by Duo.

So, is there a way to accomplish our goal:

  • All fully enrolled users are prompted for Duo authentication.
  • Partially enrolled users are allowed through without Duo auth, in some form.

Thanks in advance.

Hi @SPremeau, thanks for sharing your question here! Policy is certainly one of the more tricky areas when it comes to Duo. If I understand you correctly from what you’ve shared here, you would like to prompt partially enrolled users to enroll in Duo without requiring them to do so, allowing them to bypass 2FA if they choose. As far as I know, this is not possible today. I see you have a support case open with the Duo team already to create a feature request for this, so that’s good. Please note there might be a delay in hearing back from that team, but they are working hard to address each case.

I’d recommend checking out our Duo Policy Guide, specifically the Enrollment & 2FA Enforcement Planning section and examples at the end as it offers a lot of great guidance in this area. We also have a course on this topic available on Level Up called Policy & Access Control for Everyone that is part of our Admin I certification series, which might be helpful to you.

I just realized that I received a response over the holidays, but I don’t think my question was understood, as I was just guided to some of the same documentation that you provided.

I have updated/reopened the ticket with additional, hopefully clearer, information. Hopefully I’ll have a bit better luck with this update.