Duo setup for Auditors

Here is our situation, looking for the best option/solution:

We have a VPN that users authenticate with their AD credentials and Duo. This works fine.

We have an audit next week and need to setup them up with Duo access for getting into our VPN. Currently we have 1 AD credential setup for them to use, but there could be up to 3 people at once that would need to be logged in, using the same active directory account. Normally when they are on-site, they just share that user account and we allow it multiple logins. But these auditors will now have to VPN into our systems due to COVID-19.

Question is, will Duo allow the same AD credential to login multiple times? If so, how do we set that up? Is there a better solution?

I know we could setup separate users in Duo and separate AD accounts, just was trying to avoid creating more accounts.

It’s surprising to hear that your auditors aren’t concerned with sharing credentials, but rest assured that the same user can log in multiple times with Duo and you can attach multiple 2FA devices to a single Duo user. You likely will need to assign the 2fA phones on behalf of the users, because our self-service device enrollment option assumes the user has access to one of the other enrolled devices (which in your scenario may be a different auditor’s mobile phone), and also is only available with the Duo interactive web prompt, which not all VPNs offer.

Duo aside, you might experience an issue at your VPN if it doesn’t allow multiple concurrent user sessions. Double-check with your VPN vendor to see if you need to adjust a setting to permit a single user to establish more than one connection (for example, Cisco ASAs have a vpn-simultaneous-logins parameter).