Enable 2FA for generic accounts

We’ve enabled 2FA on all our named accounts and are now looking at enabling 2FA on our generic accounts.

We were thinking to add the users into a policy to deny access but whitelist the public IP’s. Unfortunately, this doesn’t work as access will also be denied even though the IP has been whitelisted.

In the KB article on the Duo website it mentions this setting in the ‘Authorized Networks’ section, but I can’t find the option.

  • Deny access from all other networks - Use this option to block user access from any network not configured in the “allow access” or “require 2FA” options. At least one network must be defined for 2FA bypass or enforcement to enable this setting.

Is there an easy way to manage your generic accounts, by giving them access internally but blocking access from any external location?

Hi @Gert.Verhoeven, which edition of Duo are you on? The option to enforce 2FA for specified networks or block access from all unknown networks is available on Duo Access and Beyond editions. If you are using Duo MFA, this is likely why you do not see this option.

Some other things to look for: Did you define at least one network for 2FA bypass or enforcement? That is required to enable the Deny access from all other networks option.

We have a list of which applications support Authorized Networks that might be useful to you or others reading this post. I hope that helps!

Hi Amy,

We’re on the MFA edition.

Cheers,

Gert

Hi @Gert.Verhoeven

We have taken a couple of different approaches to generic accounts for our clients and maybe one of these could help you.

  1. Our preferred method is to have one user that has multiple shared phones associate to it. That way any of the users who are authorized to access that account can select their phone from a drop down menu.

  2. Similar to number 1 but a central person or group acts as a “gate keeper” and they and the approval when required. (e.g. the receptionist grants access to the boardroom and the HR manager grants access to training accounts)

  3. You can setup a Hardware token (Yubikey or D100) for that account, that way whoever is gaining access has a physical device.

  4. As mentioned you can setup a list of Authorized networks and not require MFA from those networks, the main concern with this is that it doesn’t prevent a lateral attack.

  5. You can add the user in permanent bypass mode, this has no MFA on the account, but will at least track and log access to that account.

Hope this helps.