I have several devices that two people need access to. I configure the device for both users and when either authenticate the other is notified. Is this by default or am I missing something. It’s very misleading when two people are accessing the same device and they get a notification when the other is logging on.
Check that each person has their own login and is associated with their own phone. If you are sharing login accounts, that would be why. I’m not saying you’re sharing accounts but, if properly licensed, it is perfectly allowed but it does cause issues with any MFA, not just Duo. How is it supposed to know a shared account/phone number is for User B if it’s always logging in as User A? Or, if you indeed have multiple users defined in Duo but are adding everyone’s phone to each user, that wouldn’t work right, either. One phone (unless that person has multiple phones) per person should solve your issue.
Just FYI, it’s not common that we share accounts, at least not for Windows, because each person has to be licensed. Microsoft licenses by per user, not per account. I have 1 Microsoft license for myself yet I have multiple Windows accounts, just because I manage multiple domains and servers. Sure, we could share 1 license, 1 account and pretend we’re all the same user but that would be a violation of the Microsoft licensing terms. The license is by honor but, if you’re caught, could spell trouble for your firm. My firm was audited 3 times by Microsoft but, fortunately, each time they found us all properly licensed.
Hi, sorry for the long delay. We’re not sharing accounts, everyone has their own license for Windows and Duo. It’s not uncommon to have multiple users log into one computer, by design, this is how Microsoft built its operating system. Windows manages them by creating separate profiles for each user. Duo on the other hand, when user A logs in and chooses their cell number to receive the 2FA push Duo sends out to both user A and B the push notification. Why doesn’t Duo only send it out to the the user logging in. Is there a way for me to change this, it’s confusing to people when they are not logging in yet receive a notification.
Hi @works2020, as long as each user has their own unique username in Duo, and their 2FA device is associated only to their account, they should only receive a push notification for their own login attempt. How did you create the users in Duo? Just to clarify, when you say they have their own accounts, do you mean they each have their own unique username and login?
When you click on User A from the Users page of the Duo Admin Panel, do you see both User A and User B’s numbers listed under Phones? From the scenario you described, it sounds like User B’s phone is also associated to User A’s account. Please refer to our Managing Users documentation, and if you are still having trouble, it might be quicker to work with Duo Support as they can do a screenshare with you and figure out what exactly is going wrong here. It sounds to me like something is off with how the users are set up though. I hope that helps!
I see what’s happening now. I guess I wasn’t clear what my objective was. If I have to log-in to a computer as a user for troubleshooting purposes I don’t like to bother them by asking them for a code or bother them with a push notification. To get around this I added my cell to the user’s account in Duo. This then provides a dropdown with two cell numbers. This way I can log-in with my client’s credentials however we both get a push notification. This is annoying and misleading. Now I just disable the Duo account prior to logging in as someone else then enable it after troubleshooting.
Still curious why it doesn’t allow only one person to receive a push notification. For the record, we both have a license in Duo, so I have licensing covered. As a system admin I thought this would allow me to sign in as another user and whoever was chosen in the Duo dropdown during authentication would only receive the push notification. This is not the case though.
You did not mention which Duo application you installed. Are you using Duo for Windows Logon?
The installation default for that application is to automatically send a push or phone call to the first capable device associated with the user. If you added your phone to that user in Duo (so the user has two phones attached, theirs first and yours second), it’s expected that the user would receive the 2FA notification.
This is what happens when you log in with that user’s credentials (NOT your own credentials).
UserA exists in Duo with their own phone as phone1 and your phone as phone2.
You log in with UserA’s creds.
Duo for Windows Logon automatically sends a push to that UserA’s phone1.
You cancel that auth in flight and choose your own phone from the drop-down.
You send a push to your phone, approve it, and complete log-in as UserA.
You have two choices here:
Disable Duo autopush on the workstation. All users will have to manually initiate the Duo 2FA request by selecting their device. There are no automatic requests sent.
Leave autopush enabled and accept that when multiple phones are attached to a user it will always send a request to the first phone, and occasionally someone might need to cancel that 2FA request to use a different phone. Hopefully you don’t have to log on as other users for troubleshooting very often, and the user is aware you are working on their system so they know they can disregard the push sent when you log in as them.
ETA: We generally expect that a user in Duo represents a single person, and that they have access to any and all 2FA devices attached to that person. Shared accounts, where a user in Duo represents credentials used by multiple persons, who each have access to individual devices attached to the same shared Duo user, isn’t the majority use case and will run into these small inconveniences.
Thank you for this post, it’s exactly what I needed.
Yes, using Duo for Windows Login
I didn’t know there was a precedence in the order phones were checked prior to sending push info, good to know.
It’s a minor inconvenience but no big deal. I find it’s easier to leave each Duo user with only their own cell and to go in and disable service while I remote in.
Appreciate the information, thank you, and have a great day.
If you know you’re going to work on someone’s computer when you add your phone to their account in Duo you can drag your phone above theirs from the Phones table shown on the user’s details page so yours becomes phone1 and gets the automatic push, then if you remove your phone from the user their phone goes back to the phone1 position.
I personally add a temporary bypass token to get in without having to ask the user to press Approve. I feel that this is safer than putting the user’s 2FA on bypass (disable, on the other hand, will prevent logging in but, yes, I assume you meant bypass, not disable).
Great point and I’ll definitely take this into consideration. Yes, I meant bypass and not disable.