Duo on servers - offline access

Ken Stieers · ‎10-22-2021

I’m seeing something that I want to be sure of…

If I have a couple of hundred servers that I’m putting Duo on for admins to 2-factor into…
For us to be able to log into any one of them in the case that Duo is inaccessible, we have to login to ALL OF THEM and register our devices…If I’m using a phone, I’ll have 200 accounts in my phone.

And every time a new server is deployed we all have to make sure we have access on the chance Duo is inaccessible.

Am I missing something?

Ken

ITEM93 · ‎10-22-2021

Hi @kstieers,

Have you considered using YubiKey for your offline access?
This solution may not work for you, but wanted to throw that out there as that’s what we are using for all of our servers.

The other option to look into is to fail open.
Granted this is not the most secure option, however if the server can’t access Duo then whoever is logging in to them would need to be on site (local) and would still be protected from remote logins.

Ken Stieers · ‎10-22-2021

Not yet… but the problem still remains… registering a key for each of us to 200 servers, yes?

ITEM93 · ‎10-25-2021

Hi @kstieers

Unfortunately yes I believe you would need to register the YubiKey on each server.

However as far as I know you would only need the 1x YubiKey / user for all servers (not 200 YubiKeys) and when acting in “Offline Mode” you would no longer have to scroll through 200 different offline codes to find the right one.

As far as I know there isn’t a limit on the number of devices that you can protect with a single YubiKey, but if I’m mistaken I’m sure someone will correct me.

We are an MSP and have 1x YubiKey per client, that’s attached to their keychain.