The importance of implementing multi-factor authentication (MFA) is hard to overstate. With tens of thousands of cyber attacks occurring every day and ever-more sophisticated attack methods, most organizations now recognize that protecting access requires more than a password. Having two or more factors of authentication in place is the gold standard.
And the data backs this up. As far as the weaknesses of passwords go, a separate report by Dataprot claims that over half of us have the same passwords for our personal and work accounts. Plus, nearly 60% of phishing scam victims say they haven’t changed their existing password following an attack.
What’s more, the 2023 Verizon Data Breach Investigation Report shows that 74% of all data breaches involve a human element, which includes social engineering attacks, errors or misue, leading Verizon to recommend people-proofing your systems.
The case is clear for requiring at least two factors of authentication to secure access to important resources. At the same time, you also need an MFA solution that best suits the unique needs of your organization.
Here we take a closer look at two examples of such solutions, specifically looking at how they integrate with Active Directory and support hybrid on-premise/cloud environments. We’ve broken down the finer details of UserLock vs Duo to showcase the pros and cons of each and give you a clearer idea of which may work best for your organization.
Duo MFA review
Duo, sometimes called Duo Security, is part of the Cisco Secure Suite of security products and its Duo MFA edition offers MFA and 2FA. MFA users frequently choose the Duo Push mobile app as the second authentication method, but they can also choose between other authentication methods. A few examples of these methods include biometrics, security keys, tokens, secure generated passcodes, and additional verification codes for the Duo Push mobile application.
Cisco Secure claims that Duo is designed for easy deployment and integration with users over any device. They also praise the platform’s scalability and state that minimal IT involvement is required during roll out.
For IT admins, you can also manage and monitor a dashboard of all your employees’ devices and the applications they wish to access, as well as control any single sign-on (SSO) authentication. You can also restrict or assign further security measures for different networks and applications that the end user is accessing.
However, there are multiple editions and pricing plans in place with varying levels of functionality:
Duo MFA is priced at $3 per user a month
Duo Access (the most popular option) is $6 per user a month
Duo Beyond is $9 per user a month
Duo Free — as the name suggests — is free for up to 10 different users
All editions come with 2FA and MFA security options via Duo Push, but only Duo Beyond gives access to the full plan of features. The rest are limited to a smaller number of authentication methods and the free plan doesn’t include any dashboard management functions.
To summarize the pros we’ve seen in our market research of Duo, users have championed the platform for these reasons:
It’s supported across a wealth of major devices, including iOS, Android, Windows, and more.
The user interface is simple, easy to use and the end-user portal is also easy to access for admins and end-users.
There’s a variety of authentication methods available.
It allows IT admins to choose between an admin enrolling users or user self-enrollment.
Remote access and platform management can help identify threats and increase security for a business’s systems and networks.
Endpoint analysis for devices allows Duo to manage and monitor users authenticating with whatever device they use.
Organizations that have already transitioned to 100% cloud-based identity management will most benefit from Duo’s cloud-oriented features and functionalities.
Before you choose to implement Duo, you can use the free 30-day trial to test it and help truly determine if it’s the right option for you.
Our research also found a number of issues some users have had when using Duo:
The on-premise integrations and capabilities are more of an add-on than by design.
User profiles have to be created in Duo, either manually or through the synchronization.
IT admins with an Active Directory environment must manage an additional, duplicate directory since identity authentication takes place in the cloud, which complicates management and can be time-consuming.
As authentication takes place in the cloud this also means there’s no offline MFA. This can lead to security risks through instances of unreliable connectivity to the cloud. Additionally, it can lead to compliance issues for some.
Active Directory integration is not automatic and requires installing another piece of software, Duo Authentication Proxy.
Synchronization is needed as Duo acts as the identity provider which can be a problematic process.
Synchronization with Active Directory only runs twice a day automatically (manual synchronization is possible), which can lead to a loss of time and incomplete visibility.
Since many compliance regulations require identity authentication to remain on-premise, Duo cannot fulfill many organizations’ security requirements.
Such cloud systems also often lack the tools and features to manage the on premise infrastructure organizations will need to retain to support legacy systems.
Session control beyond MFA is not possible.
An absence of granular MFA means that local and RDP settings are minimal, and admins can’t choose to prompt MFA for certain users or groups for remote or local connections.
A wide variety of authentication methods can be confusing and complicated.
The user interface can be quite cluttered in places, and some users think the portal gives too many options (particularly IT admins).
The pricing structure makes the cost very expensive for both smaller and very large numbers of users, which can be prohibitive for SMBs and enterprises alike.
Additional IT support would be useful for those on lower-cost plans.
Administrators can only configure offline MFA (without an internet connection) as a temporary solution for a set number of connections or days.
Duo MFA alternative: UserLock
Our Duo MFA alternative, UserLock, secures on-site, cloud and remote access with MFA and SSO capabilities. In addition to this, your organization can pair MFA with powerful contextual restrictions and session management capabilities, adding even more layers of security to further verify all users’ claimed identity and secure network access.
With UserLock’s contextual restrictions, your IT admins can set policies to authorize, limit or deny access attempts by machine, device, location, time, session type, initial access point and number of simultaneous sessions.
And IT admins can also customize MFA conditions to ensure less friction for users. UserLock’s granular MFA allows organizations to customize, set and manage UserLock MFA by aspects like user, group, organizational unit (OU) and connection type. Critically, this means the IT admin doesn’t have to require MFA each time a user logs in. The IT admin defines under what circumstances to require MFA, allowing organizations to balance user productivity and security.
Easy to deploy, UserLock MFA can be rolled out quickly as an extension of your existing on-premises AD – it’s also scalable and can grow as your organization’s requirements do. And since identity authentication remains on-premises, Userlock’s secure SSO gives hybrid organizations access to cloud resources without abandoning the ease of use and familiarity of AD.
Further reporting and auditing can also be utilized to give protection against bad or careless behavior. Also, UserLock allows IT admins to easily track and report on all Windows, Active Directory and cloud application access events, which supports IT forensics.
Rather than offering a series of rates calculated by the number of devices protected, UserLock has a simple, annual licensing scheme based on the number of active users over a 30-day period. For more information about UserLock’s pricing, you can request a quote.
Our market research and published reviews from customers reveal a number of interesting insights:
It’s easy to get UserLock up and running, and because the solution is designed for Active Directory, integration is automatic.
Identity authentication takes place entirely on premise using Active Directory accounts for local and SSO authentication.
New groups or users are synchronized every 5 minutes, and users added to groups are synchronized in real time.
The UserLock agent is deployed automatically to all devices at setup, which eliminates the need to manually enter devices.
Different levels of access can be provided to suit the different security levels of employees.
Granular MFA policies allow IT admins to prompt MFA by AD user, group, OU, connection type and frequency.
Robust session control options allow IT admins to limit concurrent sessions and restrict access by hour, machine, IP range, location, and others.
Access control can be role-based or attribute-based, and these detailed and granular capabilities allow organizations to find an optimal balance between security and productivity.
On-premises identity authentication allows organizations to meet compliance regulations that require authentication to stay on-premise.
The pricing structure makes UserLock a more affordable option for SMEs and large enterprises.
MFA works without internet access.
MFA works on out-of-network connections thanks to UserLock Anywhere, which also enables contextual restrictions, reporting and alerting to work exactly the same as within the network.
MFA can be requested for interactive sessions without connection to the network, as long as the users are already enrolled in MFA.
Some users have highlighted the following cons:
There isn’t a mobile Push app available right now to use alongside the platform as an authentication method. However, a Push app is in production and slated for release early 2023.
Unlike some other platforms, UserLock doesn’t have a licensing platform for MSPs but this is also in production and scheduled for release in 2023. When released, it will include aggregate pricing (based on the total number of users across all customers) and easy self-provisioning of licenses for end customers.
The platform cannot be branded using an organization’s specific color scheme or theme.
There isn’t as much choice for MFA authentication methods as there is with other providers, due to a choice not to include weaker second factors such as SMS, email and telephone.
Users must self-enroll.
UserLock doesn’t analyze endpoints, which can be limiting for some organizations. UserLock applies policies for devices where an agent has been deployed, which enables MFA to work without internet connection.
To learn more about the pros and cons of UserLock, please take a look through our additional user reviews here. You can also review a selection of case studies that showcase what UserLock has provided for a variety of organizations in diverse sectors.
UserLock vs Duo: Active Directory compatibility
Last but certainly not least, a key user requirement when it comes to UserLock vs Duo is their AD compatibility. Both platforms can be integrated with AD and can be considered secure, but there’s a major and notable difference here.
UserLock builds on AD and keeps AD as the identity platform. Therefore, it’s possible for UserLock to apply changes to the access control rules of users in almost real-time.
UserLock’s seamless extension on AD allows administrators to see and react to help prevent threats in real-time. For example, if a user in your company asks to work outside of their existing access control rule (i.e., during unauthorized hours), the IT admin can apply a new temporary rule, that will then automatically revert back to normal.
By comparison, Duo MFA’s Active Directory synchronization runs just twice a day, or it’s manually done by an admin. This process clearly isn’t as efficient or reactive as UserLock and won’t be as practical. It may also take additional time to manage.
As such, with UserLock your organization essentially retains the use and functionality of your chosen AD so that you encounter much less disruption with your overall processes.
With all the above you should be in a better position to select a platform that suits your organization’s AD and specific requirements.