Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1863
Views
0
Helpful
2
Replies

Bypass (or option to "skip enrollment") for partially enrolled users?

SPremeau
Level 1
Level 1

‎12-07-2021 06:31 AM

We are in the inital stages of our deployment and struggling with how to allow users to “opt-in” to Duo without interrupting their critical work (at least without coordination).

We are utilizing Directory Sync, and a group to control who is eligible for Duo at any point in time, so we have the “should be using Duo” and “not required to use Duo” part of the problem figured out. Fully enrolled users are (as we are seeking), prompted for Duo as expected, and denied access if they are unable to complete the authentication.

Where we are getting stuck is for users that have opted-in (or been opted-in because of their role), but have not yet enrolled. Our preference would be to nag them to enroll, but allow them to continue without MFA for at least some period of time.

The self-enrollment does not appear to offer any “skip for now” option, so we were pursuing a New User policy involving “Allow unenrolled users to pass through without two-factor authentication.”

However, if we pair that with Authentication policy of “Require two-factor authentication or enrollment when applicable…” synced by unenrolled users forced to enroll, and if we use the “Skip two-factor authentication or enrollment when applicable…” policy, no users are prompted by Duo.

So, is there a way to accomplish our goal:

  • All fully enrolled users are prompted for Duo authentication.
  • Partially enrolled users are allowed through without Duo auth, in some form.

Thanks in advance.

Labels:
0 Helpful
2 Replies 2

Amy2
Level 5
Level 5

‎12-10-2021 07:49 AM

Hi @SPremeau, thanks for sharing your question here! Policy is certainly one of the more tricky areas when it comes to Duo. If I understand you correctly from what you’ve shared here, you would like to prompt partially enrolled users to enroll in Duo without requiring them to do so, allowing them to bypass 2FA if they choose. As far as I know, this is not possible today. I see you have a support case open with the Duo team already to create a feature request for this, so that’s good. Please note there might be a delay in hearing back from that team, but they are working hard to address each case.

I’d recommend checking out our Duo Policy Guide, specifically the Enrollment & 2FA Enforcement Planning section and examples at the end as it offers a lot of great guidance in this area. We also have a course on this topic available on Level Up called Policy & Access Control for Everyone that is part of our Admin I certification series, which might be helpful to you.

0 Helpful

SPremeau
Level 1
Level 1
In response to Amy2

‎01-18-2022 12:59 PM

I just realized that I received a response over the holidays, but I don’t think my question was understood, as I was just guided to some of the same documentation that you provided.

I have updated/reopened the ticket with additional, hopefully clearer, information. Hopefully I’ll have a bit better luck with this update.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents