Duo uses push notifications, time-based, one-time passwords, physical tokens and biometrics to verify the identity of users at login. Similarly, Microsoft Authenticator uses push notifications, one-time passcodes, and biometrics for authentication and can integrate with Microsoft 365 and Azure Active Directory. While both 2FA options share some similarities, there are still key differences that can sway your decision to choose one over the other.
Duo. After Cisco bought out Duo, however, they did not like our original contract. Now our CISO is saying for us to explore Microsoft. 65k+ staffed company.
The problem I’ve had with duo is that a user counts towards a license just by existing within your duo tenant (correct term?). Meaning that even if the user has no devices associated and cannot perform 2fa, they still have a cost.
I found it eye opening when they talked about Duo SSO (their own identity provider, think adfs). I may be wrong but my thoughts was “okay, but duo is cost restrictive to us, are you saying we need to onboard everyone just so they can get to internally federated applications?”. Didn’t feel great.
You look at their directory synchronization tool, it’s the same thing, it will onboard users no problem, but you pay for those users the moment the account exists.
I have no problem saying everyone should have to perform mfa, but if you mfa all your ingress points and highly sensitive data, paying for everyone whom may not require or use it is a waste of money.
What we did was an opt in approach. You register on your own time via onpremise portal that uses their API to register the user and their device. If you don’t do that and end up needing it externally, well too bad. In extreme scenarios we can admin register a user .