Hello,

Just thought I would reach out to the community on this one. Couple of us are trying to come up with a MFA solution for a group of users that are going to be access a cloud based SaaS.

The users are preferred not to have any personal cell phones on them so we were thinking of just created AD account with or without email, haven’t decided yet.

1st option:
would be assign them hard tokens but if they don’t have email it could be problematic having them enroll in Duo.

2nd option would be that they could share a company phone interchanging it between shifts. I did test this on Duo with a test account and it is possible to have 2 accounts on 1 number.

Again, just though I would reach out to the community and see what they thought.

Hi @Gigawatt, great question! I was hoping another admin from the community would weigh in on this, but since you haven’t gotten a reply yet, I’ll share my thoughts. I think hardware tokens or Yubikeys would be the best option here.

I’m concerned if you have a shared company phone, the risk of it being lost or misplaced might be higher than if it were a personal device. What if someone forgets to hand it off during a shift change? If you go that route, I’d definitely recommend setting a screen lock policy that requires the device to have a PIN or password to protect the device.

There is also a limit of 100 users to a phone, so if you have more than 100 users, you will need more than one company device.

Thanks for this reply @Amy , and I apologize for the late response just got back from a week of much needed vacation. I will pass this info to my counterpart and manager. The DUO community is great!

Thanks! I hope you enjoyed your vacation, and I’m so glad to hear you got to take that needed time.