What is our primary use case?
When our users are connecting to our Cisco VPN, Duo effectively ensures that they are who they say they are by taking a second factor into account, such as the cell phone that was used to create their profile. To do this, it sends them a second mode of authentication, such as a PIN or push confirmation. It also geo-locks who is allowed to actually log into our systems. We have it locked to the continental United States and Puerto Rico, and one outsourcing firm that we work with.
Once you have it set up, all you really have to do is add people to a group in the active directory and send them the instructions on how to do it. If you have a lower technical user base, you may have to walk them through it. But once it's set up, it really is automatic.
Not a single person from our IT staff really needed anything other than the instructions. Of the 15 people in our test group, nobody actually needed instructions on how to use it either — beyond what I just wrote up and sent them.
As we get to the older population in our company, the less technical population, we're probably going to have to walk them through it or hold their hands a little bit.
Within our organization, there are currently 15 employees using this solution. Eventually, we will have all 221 office staff users with it set up. Still, we'll probably top out at about 80 users a day.
We will increase the overall usage as our users increase. So, if we hire another 10 people, then we'll buy another license.
What is most valuable?
The multi-factor authentication process and the geo-locking features are great. It provides us with statistics about the devices that are used to perform the second authentication factor.
Upon successful connection, it tells us where and what device is being used to perform the second authentication factor. For example, when I log in with it, we'll see that I have my iPhone 11 and that it is located in the area via its IP address.
What needs improvement?
We had some trouble with the password reset function. When a user's password is expired, you can prompt them using Cisco AnyConnect — a password management feature — to change their password in the same channel during the login process. We had a lot of trouble configuring that. As a result, we now have a second channel that bypasses Duo to allow them to reset their password.
For this, we needed Cisco support, Duo support, and our network administrator all lined up. It should have just been something that they could have just configured, but they weren't able to do it in the same channel. We had to actually create a second channel. When you do this, people will try to log on and it'll tell them that their password is incorrect. They'll realize that their password is expired because it's been 90 days. Afterward, they'll have to then go back to AnyConnect, change the channel that they're logging into, attempt to log in, get the password prompt, disconnect from the AnyConnect, and then reconnect using the Cisco Duo multifactor authentication — this is extremely complicated.
Still, it's really only a problem for a small subset of users. The ones who ignore the notifications 10 days before saying, "Hey, change your password." So, it's not as big of a deal as it sounds. Just by having a functional way to do it, it makes it so that if nobody's on staff, the user can reset their own password without having to call us in the middle of the night on a Saturday, because that's the best time for those passwords to expire.
Also, it would be nice if it was easier to modify the splash screen that comes up when entering your username and password.
For how long have I used the solution?
We actually just configured Duo Security — we're in the process of pushing it out. Currently, we've been using it for the past three to four months.
What do I think about the scalability of the solution?
Scalability is definitely up there. It could easily handle many, many, many more authentications than we are currently or ever would use. It could definitely go far beyond what we are currently using.
How are customer service and technical support?
The technical support agents are definitely knowledgeable; they give us plenty of recommendations on how to do things. They are very quick to send us white papers describing how to fix things ourselves.
Although they try to push us toward a self-help model, they do eventually get online with us via a WebEx chat with the Cisco reps and help us out. We've never really had any problems finding somebody from chat support that wouldn't jump on to the WebEx meetings with Cisco premium support.
Which solution did I use previously and why did I switch?
We didn't have anything covering multifactor authentication. We were using Cisco AnyConnect with the tie-in to the active directory, but we just had the single factor — the username and password. Duo allowed us to greatly enhance our security. Now, not only do users have to know their username and password, but they also have to be able to receive the second-factor authentication in order to get in. The same goes for anyone trying to break in.
How was the initial setup?
The initial setup was complex, but due to the support that we received during the onboarding, it was very simple with the exception of the password reset channel that I mentioned earlier that we tried to use but didn't end up doing. The way we have it set up now is actually how it was configured during the onboarding process. It just would've been nice to have had it functionally work — to have that all in one channel.
What about the implementation team?
Regarding deployment, we have an in-house person, but we still had Cisco Duo onboarding support to assist us with the setup. If you have a CCNA, you'll probably be able to do it yourself, but it's just much easier to do it with onboarding support.
The functional part of the onboarding process only took roughly an hour. Including troubleshooting our channel issue, we spent roughly 16 hours before we just decided to go back to the original build.
What's my experience with pricing, setup cost, and licensing?
Our licensing fee is currently on an annual basis.
There are two levels of support with Duo that we were considering. The first level of support is just the two-factor authentication — it doesn't do anything else. But the second level of support provides us with network access control. This basically allows us to say, "Hey, your iPhone hasn't been updated in 10 years, update your iPhone to continue using this service." Or, "Your Windows device does not have updates." It also provided us with the geolocation feature. We were experiencing a lot of break-in attempts from Moldavia. So, thanks to this feature, we just locked out Moldavia. If nobody in Moldavia can connect to our system, then nobody in Moldova can hack us.
What other advice do I have?
If you're interested in using this solution, be sure to get the onboarding team to set everything up during the onboarding phase. Set up a proxy server if you can and get them to do everything during the onboarding phase — then you won't have any problems.
Compared to the after-purchase support, the onboarding people are a lot more willing to just take over your computer and set things up for you.
Overall, on a scale from one to ten, I would give this solution a rating of ten — it's the best.
Which deployment model are you using for this solution?