Solved: Re: Enrolling Multiple Users Accounts Using One Phone

WhatMeWorry · ‎09-15-2021

We are utilizing self-enrollment, and that seems to go fine. The user enters his/her phone number and then is presented with a QR Code to activate the account (so, this seems like it is an enrollment and activation bundled into one).

But some users also have an additional account that we would also like to enroll, and since it is owned by the same employee, it will be using the same phone assigned to them from the previous enrollment. What seems odd to me is that it is using SMS instead of a QR Code to validate the phone when self-enrolling.

Is there a way to force it to use the QR Code method?

And I am asking because we have limited Telephony credits that would quickly get eaten up using SMS for enrolling these additional accounts.

And, as an alternative, I realize that I can assign these secondary accounts as aliases on the original account, but is there a way to automate the population of this field when self-enrolling the original account (account names are predictable)? If not, I am stuck process of manually adding them every time one of these users enroll using this method.

DuoKristina · ‎09-17-2021

if you are validating the phone for the first account with a QR Code

The phone doesn’t exist yet in Duo. It is getting registered for the first time. The QR code is a URL that triggers adding the account activation in the Duo Mobile app, and not a verification operation.

you should be able to do it with the second account

Now with the second account it’s trying to use a phone that does already exist, unlike the first time where the phone did not exist in Duo yet. We want to make sure that the person enrolling a second account with the existing phone actually has access to the phone (that a bad actor isn’t trying to snipe the Duo activation away from a legitimate user by activating Duo on a different phone), so we verify that with a text message or phone call.

Again, scanning a QR code isn’t verification. The QR code is for activation of Duo mobile for push and passcode generation for that account.

“Make it so users can verify ownership of a previously added phone with a method that doesn’t use telephony credits, like Duo Push” is a legitimate feature request. Another possible feature request is “Let users provide additional usernames or other information during first-time Duo enrollment”.

If those ideas interest you then contact your Duo account exec or Duo Care customer manager if you have one, or Duo Support if you don’t, to add your support to those feature requests.

If you have so many users who need to enroll alternate usernames that you’re concerned about consuming all your credits, then definitely you should look into automating alias import with directory sync or doing a bulk import like ITEM93 was kind to suggest.

Duo, not DUO.

View solution in original post

ITEM93 · ‎09-15-2021

Hi @WhatMeWorry

The alias method that you mentioned earlier is probably your best bet.
You can create a CSV to bulk import users with their alias attached Importing Users from a CSV | Duo Security
Alternatively you can sync the list of users and have their alias as an additional field in the sync Duo Directory Synchronization | Duo Security

You can also assign the device to more than one user from within the admin panel Knowledge Base | Duo Security

I hope this helps

DuoKristina · ‎09-15-2021

No. We will verify that the second user has access to the phone with the SMS verification. Use one of the alternate methods suggested to have the second username added as an alias to the first. This keeps a single human from consuming two of your Duo user licenses.

Duo, not DUO.

WhatMeWorry · ‎09-16-2021

Thanks for your assistance.

It just seems to me that if you are validating the phone for the first account with a QR Code, that you should be able to do it with the second account.

That’s okay–I was trying to avoid having to do any manual processes to get these enrolled, but I can live with it.

DuoKristina · ‎09-17-2021

if you are validating the phone for the first account with a QR Code

The phone doesn’t exist yet in Duo. It is getting registered for the first time. The QR code is a URL that triggers adding the account activation in the Duo Mobile app, and not a verification operation.

you should be able to do it with the second account

Now with the second account it’s trying to use a phone that does already exist, unlike the first time where the phone did not exist in Duo yet. We want to make sure that the person enrolling a second account with the existing phone actually has access to the phone (that a bad actor isn’t trying to snipe the Duo activation away from a legitimate user by activating Duo on a different phone), so we verify that with a text message or phone call.

Again, scanning a QR code isn’t verification. The QR code is for activation of Duo mobile for push and passcode generation for that account.

“Make it so users can verify ownership of a previously added phone with a method that doesn’t use telephony credits, like Duo Push” is a legitimate feature request. Another possible feature request is “Let users provide additional usernames or other information during first-time Duo enrollment”.

If those ideas interest you then contact your Duo account exec or Duo Care customer manager if you have one, or Duo Support if you don’t, to add your support to those feature requests.

If you have so many users who need to enroll alternate usernames that you’re concerned about consuming all your credits, then definitely you should look into automating alias import with directory sync or doing a bulk import like ITEM93 was kind to suggest.

Duo, not DUO.