Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
161
Views
0
Helpful
1
Replies

using bypass codes for a VA

onlyslighlyconfused
Level 1
Level 1

‎04-04-2024 03:21 PM

I am trying to figure out the best way to give a VA access to certain accounts without giving her the login info. My thought is to share passwords via LastPass (or other password manager), but not not so the password shows. For 2FA, use a bypass code generated in Duo, perhaps setting a time limit.

Questions:

  1. Is this viable as I've outlined?
  2. If it is, would I need to create an email address from my company? Or could she use her own email address?
  3. If VA has several clients, will she be able to create one Duo account that will give her access to different bypass codes from different clients? I'm especially thinking about social media managers who might manage 3 different TikTok or Pinterest accounts, for example.
  4. If I create a bypass code for her, will deleting the code stop access? (Obviously, change the password, too.)

    TIA
Labels:
0 Helpful
1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

‎04-19-2024 11:42 AM

1. I understand your premise as:

"I have an account with username "xyz" for some application, and that application is protected with a 2FA Duo application. I have "xyz" as a valid user in Duo. I want to let an external person, Mary Lastname, log in as "xyz" without having her know the password. I will share the password for the "xyz" user with Mary via Lastpass, but not let her view the password. I also want to provide Mary with a Duo bypass code so she can complete Duo 2FA when she logs in as the "xyz" user."

Is that correct? I am not sure what "VA" means.

2. Is this a Lastpass question? I think you can share a credential from Lastpass with someone whose email is not part of your organization. You would not add that individual as a Duo user at all in the scenario I described above.

3. OK, this question makes me wonder if the scenario I described above is not actually what you want to do. We do not offer Duo 2FA services for TikTok or Pinterest (meaning, authentication backed by our cloud service). So now I think you are wondering about using Duo Mobile as an authenticator app that generates passcodes for third-party services. Is that actually what you want? Because in that scenario - you as an admin do not manage the accounts in Mary's Duo Mobile app at all, nor can you issue Duo bypass codes to anyone. We call this type of use case "third-party accounts" - https://guide.duo.com/third-party-accounts

Example - Instagram. I have an Instagram account. I log into Instagram and go to my account settings. There is an option to turn on two-factor authentication. I do that and choose to use an authenticator app. I have decided to use Duo Mobile as my authenticator app. I scan the QR code for Instagram with Duo Mobile. That Instagram account shows up in my app. The next time I log in to Instagram I have to open Duo Mobile to get a passcode to sign in. If I have five different Instagram accounts, I repeat this process five time, and my Duo Mobile app end up with five different Instagram accounts listed. Nobody else is able to give me a code to log in to Instagram. - https://help.instagram.com/566810106808145

So is this your scenario? "I have a TikTok account with username "xyz. I want to let an external person, Mary Lastname, log in to TikTok as "xyz" without having her know the password. I will share the password for the "xyz" user with Mary via Lastpass, but not let her view the password. When Mary Lastname logs in to TikTok as "xyz" she can go to the account settings and add Duo Mobile on her phone as an authenticator app to generate passcodes. I expect I can continue to manage the "xyz" account as well and that I can remove Mary's access to the account."

That, I think, is not an entirely valid scenario, because it would depend on if TikTok (or whatever) permits a single account to have multiple methods of two-factor authentication functioning concurrently. If it does not, as soon as Mary sets up two-factor authentication for the "xyz", using Duo or not, you would no longer be able to log in as "xyz" because you do not have access to Mary's phone to generate the passcode needed to sign in.

4. Now I don't know what to say here, because I can't tell if you are talking about Duo cloud-service managed accounts or third-party accounts in Duo Mobile. But yes, in use cases where Duo bypass codes are a valid 2FA factor, deleting the bypass code prevents login.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents