I recently joined a company that uses Duo for two-factor authentication, and I find it overwhelming. Every time I log into SSH, switch users, or use `sudo`, I'm prompted to approve a Duo push on my phone. It feels like I have to tap my phone constantly, and it takes a solid 15 minutes just to get set up every morning. Is this normal for companies trying to comply with regulations like CMMC? What are some other ways teams manage 2FA for SSH and admin access without so many interruptions? I've suggested using a Yubikey, but it seems like my IT department is ignoring me. Honestly, tapping a phone for every action is a hassle!
5 Answers
Your company could definitely stand to implement a proper PAM solution. Also, consider moving towards a passwordless setup using a FIDO2 key, which SSH now supports. After that, tweak PAM to only require Duo MFA when you’re using sudo since admin accounts really don’t differ much from regular accounts in terms of access once you're inside.
It’s possible to configure behavior-based 2FA. Rigid setups turn users off and can lead to them resisting the process altogether.
From what I recall, setting up Duo on Linux (like RHEL) using PAM can be tricky to do correctly to avoid double prompts with sudo commands. Following Cisco’s documentation can help avoid this, but you’ll need to tweak the PAM config carefully because updates can overwrite your settings if you're not careful. It might not be easy, but it can be managed with some effort.
You can actually tweak your Duo settings so it won't prompt you for 2FA when using UAC elevation on Windows. I'm pretty sure there's a way to do something similar on Linux too. We usually setup Duo to only ask for 2FA when you first connect via RDP or SSH, and once you're in, you're good to go without constant prompts.
This sounds like a misconfigured setup to me. While compliance standards require multi-factor authentication, they don't mandate a prompt for every single action like lateral moves or sudo commands. When we set things up, we adjust the re-authentication time so it doesn't bombard users every thirty seconds. If the setup is too annoying, users might just start approving everything without thinking, which could make it less secure overall.
I really wish Duo had a number matching feature like Microsoft’s. I don’t trust users to simply approve anything, especially if an attacker tries to gain access!
I thought you were suggesting to intentionally make it harder for users, which would just encourage reckless approval behavior!
I still have to SSH in as a regular user, switch to an admin, and then use sudo. That means I’m dealing with three Duo prompts for each terminal session!