Please share with the community what you think needs improvement with Duo Security.
What are its weaknesses? What would you like to see changed in a future version?
We had some trouble with the password reset function. When a user's password is expired, you can prompt them using Cisco AnyConnect — a password management feature — to change their password in the same channel during the login process. We had a lot of trouble configuring that. As a result, we now have a second channel that bypasses Duo to allow them to reset their password. For this, we needed Cisco support, Duo support, and our network administrator all lined up. It should have just been something that they could have just configured, but they weren't able to do it in the same channel. We had to actually create a second channel. When you do this, people will try to log on and it'll tell them that their password is incorrect. They'll realize that their password is expired because it's been 90 days. Afterward, they'll have to then go back to AnyConnect, change the channel that they're logging into, attempt to log in, get the password prompt, disconnect from the AnyConnect, and then reconnect using the Cisco Duo multifactor authentication — this is extremely complicated. Still, it's really only a problem for a small subset of users. The ones who ignore the notifications 10 days before saying, "Hey, change your password." So, it's not as big of a deal as it sounds. Just by having a functional way to do it, it makes it so that if nobody's on staff, the user can reset their own password without having to call us in the middle of the night on a Saturday, because that's the best time for those passwords to expire. Also, it would be nice if it was easier to modify the splash screen that comes up when entering your username and password.
The only time I really had some negative feedback for them was about the UI of their mobile app, but they improved it in the last version. There was no way to (re)name 3rd party OTP accounts so it got confusing when multiple ones were existing. In addition, each account took a lot of space on the screen, they condensed it in the new version to make it easier for people that have a lot of accounts added. Duo has a beta program and actively solicits and listens to feedback which personally I think is great. It is good on the functionality side, but their pricing model is a little bit weird. Currently, there is no price advantage in signing up for yearly contracts. If you are on a monthly term or a yearly contract, you basically pay the same price, and that is very unusual. Normally, there is a discount when someone signs up for the 12-month system.
Its documentation must be in French because we are a French-speaking country. They should also provide more training documentation. Its management interface should also be improved. They should also improve its update period. If I compare its update period with other products such as Palo Alto firewalls, this solution is really slow in updates.
I haven't experienced any issues with Duo Security, but I'm only on the front end, I don't see the back end. I don't know what the IT guys are struggling with. From the front end, it's very fast and it hasn't missed a beat, so to say. As soon as I log in, within a second, I receive a message on my mobile, and as soon as I hit okay, that is within a second, then it's already passed on to the database where I need to be. It's lightning-fast, I've never experienced anything like it in the past.
I think that the dashboard needs to be improved. Duo Security is a cloud-based product. Most of the security technicians in India that we work with want a security product in-house for their main data center security solution. Because it is possible to integrate Duo Security with cloud-based services, it is good for use with various customers and hybrid architecture. Other features are good, but the only thing is because of compliance, certain customers can not use it as a solution. This is due to compliance with regulations for lots of customers like banks and financial sectors who can not go with cloud products.
Improving coverage of different solutions and on-premise residents would make a difference. It would help if you could deploy on-premises, and not only with the cloud. Connection with an active directory requires something on-premises and for that, you need to have some kind of client or proxy, or something on-prem but keeping the idea of the users for GDPR and not sending them to the cloud to do it, makes sense. Removing the need for a password would be a positive change as well as the ability to cover all the different enterprise applications. They don't have coverage for everything.
What are the pros and cons of each?