DUO Admin

¡Supera tus tareas y exámenes ahora con Quizwiz!

Authentication Methods Ranked

1. Touch ID 2. Security keys 3. Duo Mobile push approval 4. YubiKey passcodes 5. Duo Mobile generated passcodes 6. Hardware token passcodes 7. SMS passcodes 8. Phone call approval

Reporting Overview

AUTHENTICATION LOG TELEPHONY LOG ADMINISTRATOR ACTIONS AUTHENTICATION SUMMARY DENIED AUTHENTICATIONS DEPLOYMENT PROGRESS POLICY IMPACT

ORDER OF ENFORCEMENT

Application and Group Policies override the Global Policy Group Policies override Application Policies Group Application Global

Enrollment Emails

Day 0: User is synced. Initial enrollment email sent to end-user Day 2: Reminder 1: Sent if enrollment is not completed Day 10: Reminder 2: Sent if enrollment is not completed Day 30: Link expires. New link is generated and cycle repeats the next time the sync runs

METHODS FOR ADDING USERNAMES

Directory Sync Import Users Bulk Enrollment Inline Self-Enrollment

Conditions for Push Notifications

Duo Mobile app is installed and activated on the device Connected to a reliable WiFi or cellular connection Duo Push requests / Notifications are toggled On in your notification settings

DUO WEB SDK

Duo Web SDK can also be used to add two-factor authentication to a web application, by modifying the code to add a second login page and splitting the login handler into two parts. The Duo Web SDK is a generic integration that can be used to protect applications that are not listed on the Applications tab.

APPLICATIONS

Duo can protect almost any application that supports authentication via RADIUS, LDAP, or SAML 2.0.

Remembered Devices Policy

When a Remembered Devices policy is enabled, Duo creates a trusted session for web-based applications using the Duo Prompt for a period of time decided by the administrator (the default is 30 days).

UNENROLLED/NEW USER (NO USERNAME, NO DEVICE)

If a username is not listed in the Duo Admin Panel at all, the user is not enrolled. Their information will not appear in the Admin Panel and they will be considered a new user when they attempt to access Duo-protected applications

POLICIES

Improve your security posture by configuring and enforcing rules for who can access your applications under conditions you define

TELEPHONY OPTIONS

Low-credit alerts Low credit alert email

CREATING ADMINISTRATORS

Owner-role administrators can create new administrators directly in the Admin Panel or by using the Admin API to generate a setup link Administrators need both a Duo administrator account AND an end-user account; one to access the Admin Panel, and the other to access their Duo-protected applications Note: Duo does not support user provisioning via Directory Sync for administrator accounts. Administrator accounts for the Admin Panel are local to the Duo Cloud Service and must be created directly in the Admin Panel or via the Admin API with a password and cannot be synced from an external source

Import Users

REQUIREMENTS CSV file of user attributes ENROLLMENT EMAILS Not sent IDEAL ENVIRONMENTS Flexible; can be used by any Owner, Administrator, or User Manager with a CSV file of user information

DIRECTORY SYNC

REQUIREMENTS External directory with populated user groups. Duo Authentication Proxy (On-premises Active Directory or OpenLDAP) ENROLLMENT EMAILS When Send Enrollment Email is enabled, emails are sent only to users without an attached phone number IDEAL ENVIRONMENTS Great solution for those with an existing external directory. Reduces effort for provisioning users

Device Management Portal

REQUIREMENTS On-premises web server with authentication to user directory. Ability to add second login page ENROLLMENT EMAILS Not sent IDEAL ENVIRONMENTS Advanced configuration. Requires development resources. Additional gating recommended (e.g. restrict enrollment from external networks)

INLINE SELF-ENROLLMENT

REQUIREMENTS Protected application that supports the Duo Prompt ENROLLMENT EMAILS Not sent IDEAL ENVIRONMENTS Quick and efficient. Great method if speed to security is required

BULK SELF-ENROLLMENT

REQUIREMENTS Username and valid email address for all users ENROLLMENT EMAILS Sent automatically to unenrolled users IDEAL ENVIRONMENTS Flexible; can be used by any Owner, Administrator, or User Manager with valid email addresses for end-users

NEW USER POLICY OPTIONS

Require Enrollment: Allow unenrolled users to be able to self-enroll the next time they log in to a Duo-protected application. In order for end-users to self-enroll, your application must support the Duo Prompt or Universal Prompt. Allow Access without 2FA Deny Access: Block unenrolled end-users from accessing Duo-protected applications.

applications that you can integrate with Duo

Servers, workstations, and laptops VPNs Web applications Single Sign-on (SSO)/SAML 2.0 identity providers and applications Generic RADIUS and LDAP configurations

DUO AUTH API

The Duo Auth API is a REST-based API that can be configured to work with a number of different services.

THE DUO PROMPT

This prompt is delivered via an inline frame (or iFrame), generally using our WebSDK, which means that the Duo Prompt is embedded within a web page hosted by the protected application

FULLY ENROLLED (USER & DEVICE)

When a user has both their username and at least one associated 2FA device in Duo, the user is considered fully enrolled.

PARTIALLY ENROLLED (USERNAME ONLY)

When a user has only a username in Duo with no associated 2FA device, the user is considered partially enrolled.

Generic LDAP

When generic LDAP is used, you will need to install the Duo Authentication Proxy, a local proxy service, on a physical or virtual host within your network.

Generic RADIUS

When RADIUS is used, you will need to install the Duo Authentication Proxy, a local proxy service, on a physical or virtual host within your network. This Duo proxy server may also act as a RADIUS server — there's usually no need to deploy a separate RADIUS server to use Duo

Customization

exists only for Web Based applications needs to be PNG

LOCKOUT SETTINGS

lockout threshold settings can be configured by administrators and are customizable on the Settings page The default lockout threshold is ten failed attempts

SMS Weaknesses

reroute text messages to another device, or read SMS-delivered codes even from a locked phone screen

THE UNIVERSAL PROMPT

the Universal Prompt is delivered using OpenID Connect (OIDC) standards, an authentication delegation protocol that enables communication between an application and an authentication provider the protected application redirects to the Universal Prompt on a page hosted by Duo at duosecurity.com, and then redirects back to the protected application


Conjuntos de estudio relacionados

250 Psychiatric Nursing - Exam 1

View Set

what is life, chapter 1 lesson 1 - science

View Set

Childress study guide final fall semester

View Set

Unit 1: The Biology of Psychology

View Set

Chapter 11: Health Assessment Prep U

View Set

World History Chapter 4 Section 3

View Set