Securing third party access


#1

My enterprise has quite a few third party vendors that are remote to my physical location but need to be able to access systems that have access to PII that is protected by DUO.

Variables at play for each third party vendor:

  1. Multiple individuals.
  2. Multiple phone numbers.

Due to the reasons listed above for a number of the vendors I can’t see issuing our own devices to them, it does not seem cost effective.
Phone call back doesn’t seem practical with multiple individuals.

The only method that makes sense to me at the moment is enforcing DUO authentication still, but forcing the vendors to Bring Your Own Token (BYOT).

What practical methods have been used to deploy DUO to those vendors in your enterprise?


#2

We’ve used what you propose - requiring vendor agents accessing our DUO-protected VPN / systems to use their smartphone or other device for 2FA.