UserLock: A Duo MFA alternative

It's hard to overstate the importance of implementing multi-factor authentication (MFA). With tens of thousands of cyber attacks occurring every day and ever-more sophisticated attack methods, most organizations now recognize that protecting access requires more than a password. Having two or more factors of authentication in place is the gold standard.

And the data backs this up. As far as password weaknesses go, a report by Dataprot claims that over half of us have the same passwords for our personal and work accounts. Plus, nearly 60% of phishing scam victims say they haven’t changed their password after an attack.

What’s more, the 2024 Verizon Data Breach Investigation Report shows that 68% of all data breaches involve a human element, which includes social engineering attacks, errors, or misuse, leading Verizon to recommend people-proofing your systems.

The case is clear for requiring at least two factors of authentication to secure access to important resources. At the same time, you also need an MFA solution that best suits the unique needs of your organization.

Here, we'll take a closer look at two MFA solutions, UserLock and Duo, specifically looking at how they integrate with Active Directory and support hybrid on-premise/cloud environments. We’ve broken down the finer details of UserLock vs Duo to showcase the pros and cons of each and give you a clearer idea of which may work best for your organization.

Duo MFA review

Duo, also known as Cisco Duo or Duo Security, is part of the Cisco Secure Suite of security products. Cisco Duo also offers MFA, also branded as Duo 2FA.

Cisco Secure says Duo MFA is designed for easy deployment and integration with users over any device. Cisco touts the platform’s scalability and positions a Duo MFA rollout as one that needs minimal IT involvement.

If you're an IT admin, Duo allows you to manage and monitor a dashboard of all your employees’ devices and the applications they wish to access, as well as control any single sign-on (SSO) authentication. You can also restrict or assign further access security measures for different networks and applications that the end user is accessing.

Duo also offers a few different options for MFA methods. MFA users frequently choose the Duo Push mobile app as the second authentication method, but they can also choose SMS, email, biometrics, security keys, tokens, secure generated passcodes, and additional verification codes for the Duo Push mobile application.

Duo has multiple editions and pricing plans in place with varying levels of functionality:

• Duo Essentials is priced at $3 per user a month.

• Duo Advantage (the most popular option) is $6 per user a month.

• Duo Premier is $9 per user a month.

• Duo Free — as the name suggests — is free for up to 10 different users.

All editions come with 2FA and MFA security options via Duo Push, but only Duo Premier gives access to the full plan of features. The rest are limited to a smaller number of authentication methods and the free plan doesn’t include any dashboard management functions.

Pros

To summarize the pros we’ve seen in our market research of Duo, here's what users like about the platform:

• It’s supported across a lot of major devices and operating systems, including iOS, Android, Windows, and more.

• The user interface is simple and easy to use, and the end-user portal is also easy to access for admins and end-users.

• There’s a variety of authentication methods available.

• It allows IT admins to choose between an admin enrolling users or user self-enrollment.

• Remote access and platform management can help identify threats and increase security for a business’s systems and networks.

• Endpoint analysis for devices allows Duo to manage and monitor users authenticating with whatever device they use.

Key takeaways:

• Organizations that have already transitioned to 100% cloud-based identity management will most benefit from Duo’s cloud-oriented features and functionalities.

• Before you choose to implement Duo, you can use the free 30-day trial to test it and help truly determine if it’s the right option for you.

Cons

Our research also several issues frequently noted by Duo users:

• At first look, it can seem like Duo is an identity provider (IdP). But that's not the case. You need to first have an IdP like Active Directory, Entra ID, or Okta.

• The on-premise integrations and capabilities are more of an add-on than by design.

• Active Directory integration is not automatic and requires installing another piece of software, Duo Authentication Proxy.

• Synchronization with Active Directory only runs twice a day automatically (manual synchronization is possible), which can lead to a loss of time and incomplete visibility.

• Admins have to create user profiles in Duo, either manually or through synchronization. If a user is part of multiple groups, set up can quickly get complicated.

• IT admins with an on-premise Active Directory environment must manage an additional, duplicate directory since identity authentication must take place with a cloud-based IdP. This complicates management, and managing a duplicate directory can be time-consuming.

• Offline MFA capabilities are limited. Administrators can only configure offline MFA (without an internet connection) as a temporary solution for a set number of connections or days. The user, not the admin, must complete offline configuration. This means that even if the admin requires offline MFA configuration, they still have to follow up with their users to ensure they've completed enrollment. If a user simply doesn't enroll, this can lead to big security gaps if the power goes out, if the internet connection isn't reliable, or if the user connects without an internet connection. Additionally, it can lead to compliance issues for organizations obligated to require MFA in all circumstances.

• Since many compliance regulations require identity authentication to remain on-premise, Duo cannot fulfill security requirements for many organizations in highly-regulated sectors.

• Duo's cloud-based systems also often lack the tools and features needed to manage the on-premise infrastructure organizations need to retain to support legacy systems.

• Session control beyond MFA is not possible.

• An absence of granular MFA means that local and RDP settings are minimal, and admins can’t choose to prompt MFA for certain users or groups for remote or local connections.

• The wide variety of authentication methods can be confusing and complicated. Some MFA methods are also not very secure, such as SMS (which is also expensive), and email.

• The user interface can be quite cluttered in places, and some users think the portal gives too many options (particularly IT admins).

• The pricing structure makes Duo very expensive for both smaller and very large numbers of users, which can be prohibitive for SMBs and enterprises alike.

• Additional IT support would be useful for those on lower-cost plans.

Duo MFA alternative: UserLock

Our Duo MFA alternative, UserLock, secures on-site, cloud and remote access with MFA and SSO capabilities. In addition to this, your organization can pair MFA with powerful contextual restrictions and session management capabilities, adding even more layers of security to further verify all users’ claimed identity and secure network access.

With UserLock’s contextual restrictions, your IT admins can set policies to authorize, limit or deny access attempts by machine, device, location, time, session type, initial access point and number of simultaneous sessions.

And IT admins can also customize MFA conditions to ensure less friction for users. UserLock’s granular MFA allows organizations to customize, set and manage UserLock MFA by aspects like user, group, organizational unit (OU) and connection type. Critically, this means the IT admin doesn’t have to require MFA each time a user logs in. The IT admin defines under what circumstances to require MFA, allowing organizations to balance user productivity and security.

Easy to deploy, UserLock MFA can be rolled out quickly as an extension of your existing on-premises AD – it’s also scalable and can grow as your organization’s requirements do. And since identity authentication remains on-premises, Userlock’s secure SSO gives hybrid organizations access to cloud resources without abandoning the ease of use and familiarity of AD.

Further reporting and auditing can also be utilized to give protection against bad or careless behavior. Also, UserLock allows IT admins to easily track and report on all Windows, Active Directory and cloud application access events, which supports IT forensics.

Rather than offering a series of rates calculated by the number of devices protected, UserLock has a simple, annual licensing scheme based on the number of active users over a 30-day period. For more information about UserLock’s pricing, you can request a quote.

Pros

Our market research and published reviews from customers reveal a number of interesting insights:

• It’s easy to get UserLock up and running, and because the solution is designed for Active Directory, integration is automatic.

• Identity authentication takes place entirely on premise using Active Directory accounts for local and SSO authentication.

• New groups or users are synchronized every 5 minutes, and users added to groups are synchronized in real time.

• The UserLock agent is deployed automatically to all devices at setup, which eliminates the need to manually enter devices.

• Different levels of access can be provided to suit the different security levels of employees.

• Granular MFA policies allow IT admins to prompt MFA by AD user, group, OU, connection type and frequency.

• Robust session control options allow IT admins to limit concurrent sessions and restrict access by hour, machine, IP range, location, and others.

• Access control can be role-based or attribute-based, and these detailed and granular capabilities allow organizations to find an optimal balance between security and productivity.

• On-premises identity authentication allows organizations to meet compliance regulations that require authentication to stay on-premise.

• The pricing structure makes UserLock a more affordable option for SMEs and large enterprises.

• UserLock's MFA works without internet access. Admins don't have to worry about enabling offline MFA, or getting users to configure it since UserLock's offline MFA works right out of the box. Online or offline, the experience isn't any different for the user.

• MFA works on out-of-network, VPN-less connections thanks to UserLock Anywhere, which also ensures contextual restrictions, reporting, and alerting work the same as within the network.

• Admins can enable MFA for interactive sessions without connection to the network, as long as the users are already enrolled in MFA.

• Admins can offer up to two secure MFA methods to their end users, including easy to use push notifications, authenticator apps, and hardware tokens and keys.

Cons

Some users have highlighted the following cons:

• The platform cannot be branded using an organization’s specific color scheme or theme.

• There isn’t as much choice for MFA authentication methods as there is with other providers, due to a choice not to include weaker second factors such as SMS, email, and telephone.

• Users must self-enroll.

• UserLock doesn’t analyze endpoints, which can be limiting for some organizations. UserLock applies policies for devices where an agent has been deployed, which enables MFA to work without an internet connection.

To learn more about the pros and cons of UserLock, please take a look through our additional user reviews here. You can also review a selection of case studies that showcase how UserLock provides easy, effective MFA and access security for Active Directory across sectors.