SSO/MFA, Identity

Best Practices for Enrolling Users in MFA

Stolen Credentials

Guest blog courtesy of Cisco.

Enrolling users to use multi-factor authentication (MFA) is an essential security step for any organization. But user enrollment can be a logistical challenge and comes with security risks. In this blog we’ll discuss enrollment options and best security practices for Duo admins, whether they are rolling out MFA for the first time or maintaining enrollment for their users.

Enrollment basics

Enrollment is the process by which users are added to a Duo account and enabled to use MFA. To be enrolled, a username must exist in Duo (i.e., be visible under the Users page in the Duo Admin Panel) and the user must have registered at least one MFA device.

Enrollment methods

Administrators have several methods to choose from for enrolling users.

  • In automatic enrollment, user information is uploaded in CSV format or synced from a directory service.
  • In self-enrollment, users enroll themselves either from an enrollment email or inline as they attempt to access a Duo-protected application.
  • In manual enrollment, admins enter information for users one at a time.

Automatic enrollment might seem easier for users, but they still must follow up to add their authentication devices. Even when a phone number is included with automatic enrollment, enabling SMS and phone call authentication out of the gate, we recommend that users add additional methods that are more secure against attacks.

To reduce helpdesk calls and encourage the use of secure authentication methods, Duo recommends that users be allowed to self-enroll and to manage their own devices after enrollment.

New User Policy

Prior to enrollment, users’ access to Duo-protected resources is governed by the New User Policy. Like all Duo policies, this can be set globally or for specific applications and user groups.

The New User Policy has three options. The default is “Require Enrollment,” which prompts users for inline enrollment the first time they try to gain access. “Allow access” exempts new users from MFA and should be used with caution. “Deny Access” provides the tightest security control but can lead to friction for new users. For example, admins should be careful not to deny access to email accounts where users are sent self-enrollment links.

Self-enrollment risks

Duo recommends enabling users to self-enroll when possible, but there are some risks. An attacker with stolen credentials may attempt to enroll on the legitimate user’s behalf, either by stealing an emailed self-enrollment link or by initiating inline self-enrollment when attempting to access a resource. They can then register their own device, gaining persistent access to the user’s account.

Admins must weigh these risks when choosing enrollment methods and setting New User Policy. On balance, self-enrollment still can be an effective option if admins follow best practices.

Secure enrollment best practices

Organizations’ primary goal with enrollment should be to get as many users using MFA as possible, as quickly as possible. However, they must also be careful not to leave the door open to bad actors. This section will outline best practices for keeping enrollment secure.

Practice #1: Eliminate bypass access

Enrolling users is no help if an organization’s resources do not require MFA by policy. Duo Admins can exempt applications, user groups, network addresses or locations from MFA and can place individual users in bypass status. These options are powerful tools when used appropriately but can leave resources vulnerable if organizations aren’t careful.

When users can bypass MFA and inline self-enrollment is enabled, they may never encounter the enrollment prompt and will remain unenrolled or partially enrolled indefinitely. These users’ accounts are “sitting ducks” for bad actors to steal credentials and initiate the enrollment prompt themselves.

To reduce bypass access, admins can review the access policies set in the Duo admin panel. They can also check their organization’s authentication logs to gain visibility into authentications in their environment that bypass MFA.

Practice #2: Resolve inactive and overprovisioned accounts

Inactive accounts are a risk to any organization, since bad actors can take over these accounts and use them to enroll with Duo and gain persistent access. Active accounts that are provisioned to access Duo-protected resources, but where users do not access the resources and have not enrolled with Duo, are similarly risky.

To address these risks, admins should look for user accounts with access to Duo-protected resources that are not enrolled with Duo. Tools like Cisco Identity Intelligence can help with this task by bringing together user information from multiple sources.

Practice #3: Monitor partial enrollment

Users who exist in Duo but who do not have any authentication devices registered are considered partially enrolled. Partial enrollment results when no phone number is provided during automatic or manual enrollment, or when a user fails to follow up from a self-enrollment email. Admins can also return a user to this state by deleting all their authentication devices.

Partially enrolled users are a problem because, depending on the New User Policy, they may be denied access to resources or may be at risk for self-enrollment attacks. They also consume a license and contribute to the organization’s costs.

Duo provides several tools for addressing partial enrollment. Admins can view these cases in the Admin Panel’s Users table under the heading “Not Enrolled” and can send out enrollment emails. Users who were sent an enrollment email (including through automatic enrollment) can be further reviewed in the Pending Enrollments table. As a safeguard against partially enrolled user accounts persisting indefinitely, admins can elect to lock out users who have not registered a device for a period of time after appearing in Duo.

Practice #4: Detect suspicious activity

Even the best security posture does not provide 100% protection against malicious actors. Organizations should monitor for suspicious device registrations and authentication activity, which could indicate access by a malicious actor.

Duo Trust Monitor, available on Duo’s Advantage and Premier editions, detects and notifies admins about suspicious activity in their accounts, including device registrations. Activity and authentication logs can also be imported into a third-party monitoring and detection tool using the Duo Admin API.

Conclusion

Duo’s policy and configuration options give administrators lots of ways to ensure that users are broadly enrolled in MFA across their organization. The choice of enrollment method and New User Policy ultimately come down to each organization’s individual needs. Regardless of which options they choose, admins can keep the enrollment process secure by following the best practices above.

To learn more about setting up your organization’s Duo account, check out our Liftoff Guide.

An In-Depth Guide to Identity

Get essential knowledge and practical strategies to fortify your identity security.

You can skip this ad in 5 seconds