Two accounts on one phone


#1

A user has two different accounts that they need to use duo on. We have set them up with both accounts by going on the account and adding the phone.

This works but doesn’t add an account to the phone, there’s only the first account that was setup by using the QR-barcode. And when the user logs in and selects the second account the only option is “Call Me” instead of the usual “Duo Push” or use the token code.

Many thanks,
Seb


#2

Hi there Seb,
We’re not exactly sure why this user needs access to applications protected by two different Duo accounts, but if we’re understanding the issue correctly, it sounds like you need to help them activate Duo Mobile for their second account by following the steps here: Duo Admin - Mobile Activation Code | Duo Security

This could also be accomplished in the future via Self Enrollment: Duo Enrollment - Enrolling Users | Duo Security


#3

Hi Dooley,
I just wanted to explain a use case we have for multiple accounts on a single device.
We use separate accounts for administrative purposes and we even have separate admin accounts for different accesses so there are some users in our environment that had up to 6 duo accounts for one user and yes the user had to complete enrolment for each account. I say had because we started using the Alias field when it became available which may be an option for Seb.


#4

Appreciate the insight, Bill! Definitely sounds like aliases would be a good fit for your needs. Here’s a guide to migrating to using the aliases feature: https://help.duo.com/s/article/aliases-migration

Here’s a link to some overview documentation on the username aliases feature for anyone curious: https://help.duo.com/s/article/aliases-guide

We also have a username normalization feature that can be helpful in somewhat related circumstances: Protecting Applications | Duo Security


#5

Hi Dooly,
I experience the same thing as Seb. I use multiple accounts, this is common. As a normal RDP user and also the Duo admin for our company, I have accounts for each of those.

But here’s what I think he is saying, if you read his post. Sometimes adding an account does not add a visible account on the phone. When I added an account for LastPass (which supports DUO push), I did not see an additional account on my phone, even though LastPass successfully sent Push authentications to my phone.

I never contacted support about it, since the functionality was there, but I did wonder why it happened.


#6

Hi there,
It sounds like you are misunderstanding how accounts appear in Duo Mobile. This is somewhat confusing because all third-party accounts (that use Duo Mobile for TOTP passcode generation) appear as individual accounts in the app.

Your Duo-protected applications (those that can use Duo Push and HOTP passcodes) will all roll up to a single account in Duo Mobile for your organization. As an admin, you will have a second account in the app for Admin Panel access, but all of your other protected applications (RDP, LastPass, etc.) will roll up to that single user account. Does this explanation help?


#7

If I have multiple DUO protected apps that use the same Active Directory user account, I understand that I would only see one entry on my phone for all of those protected apps. But if I add a completely unrelated DUO protected app, that is in no way attached to our system, wouldn’t that show up as a separate entry on my phone?


#8

Spoke with some other folks here and hopefully this answer will clear up any confusion! If not, please reach out to Duo Support for further assistance.

Each Duo-protected user entry on your phone will be used for push and passcodes for all applications the user has access to as specified in the Duo Admin Panel. This would include any specified username aliases. All Duo-protected applications that are tied to a specific Duo Admin Panel, regardless of how they process authentications or what identity store they use or how Duo integrates with said application, are tied to a single account entry in the Duo Mobile app on a given device.

You are correct that adding a third-party account to the application for TOTP passcode generation would add a new application entry.

If you update to the latest version of Duo Mobile, you will be able to easily distinguish between Duo-protected applications (they will have an HOTP refresh button) and third-party accounts (they will have a TOTP countdown timer).


#9

Thanks Andrew, that confirms what I expected. Your explanation is very clear, especially mentioning that it’s tied to one Duo Admin Panel.

In my case, LastPass is not tied to our Duo Admin Panel, but it does not create an entry on the smartphone, so something is not right. I’ll have to check with support on that.


#10

Hey Technerd,

If your LastPass application isn’t tied to a Duo Admin Panel application, you wouldn’t expect to receive any push notifications in Duo Mobile.

If you received a push when logging into LastPass, then LastPass must be configured to point to some Duo cloud account.

Is this your own personal LastPass account, or is it a company account? If you examine your LastPass Duo configuration, is it using the same API Host URL as your RDP Duo application?

That would mean they are tied to the same Duo account, managed from the same Duo admin panel, and that your phone device already activated for Push for your RDP logins is also used for LastPass. Therefore, there is no separate LastPass entry in Duo Mobile.