Passwordless and MFA push-based security apps are becoming the norm in enterprises. We compare the features and costs of two of the biggest players in this space, Duo and Microsoft Authenticator, and pit them head-to-head.
The enterprise world has seen increased security protocols since work from home has increased over the past few years. One of the ways that security protocols can be ensured is by requiring two-factor authentication (2FA, also known as MFA or multi-factor authentication). By requiring a username, password and security prompt through supplying a 2FA rolling code or push notification, secure systems can ensure that a user’s device is with them when authenticating.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
There are a few apps that can turn existing iOS and Android devices into a 2FA, but two apps have risen to the top of our radar during the past few years, especially when it comes to authenticating via push notifications (via API callbacks for custom and supported applications): Microsoft Authenticator and Duo. We’ll delve into Microsoft Authenticator and Duo and find out which multifactor authentication software can provide the best bang for the buck when it comes to features, pricing and usability.
An overview of Microsoft Authenticator and Duo
Microsoft Authenticator is a 2FA/MFA application that supports two-factor authentication via push notifications and the ability to register your own 2FA accounts in the same app. Microsoft Authenticator can automatically configure your device for multi-factor authentication by signing into an account that’s managed by an organization. Microsoft Authenticator can tie into existing Microsoft subscriptions and Active Directory accounts to automatically protect accounts that are administered via an AD configuration. One of the biggest advantages that Microsoft has is the ability to bundle its service with all Microsoft 365 and Azure Active Directory subscriptions for free, which can be a bargain if your organization already subscribes.
Duo is an 2FA/MFA app that features a self-enrollment feature that allows employees in organizations to enroll their personal or work devices. Duo does support software-based one time passwords (like Microsoft Authenticator and Google Authenticator), and offers “bypass codes” that are automatically generated in the Duo app and can be used if your device cannot receive push notifications to authenticate for any number of reasons. Duo employs many other software and hardware-based features such as the ability to geofence authentication requests, and more.
Duo vs. Microsoft Authenticator: Features comparison
Most enterprise organizations looking to Duo or Microsoft Authenticator will care primarily about integrations with existing software or custom software and server applications that can interface with these apps to support MFA requests. Duo supports unlimited application integrations through its platform on all editions available. Microsoft Authenticator allows for integration with Microsoft services and Azure Active Directory services, but falls back to time-based one-time password (TOTP) integration that can be used with any compliant MFA app (Google Authenticator, Microsoft Authenticator and others) to add a software-based 2FA code and generate a six-digit, one-time password to authenticate for custom application integrations.
SEE: Top 5 things to know about multi-factor authentication (TechRepublic)
The biggest delineation here: Microsoft Authenticator will integrate nicely with its own services, but you’ll need to fallback to the built-in TOTP feature for any custom services your organization maintains. On the other hand, Duo Mobile can integrate with traditional TOTP services, or utilize their API access to provide push notification authentication.
Backup TOTP codes can be generated for integrated apps in both Microsoft Authenticator and Duo Mobile.
Microsoft Authenticator and Duo both support push notification-based authentication. Using this method, when a user signs into a service that supports one of these apps, the user will receive an authentication request push notification. Tapping this notification, then acknowledging, will complete an API callback to the service that’s attempting a sign in to complete the sign in, all without needing to type in any code.
Duo supports myriad monitoring options for security-minded organizations. These include the preemptive features like the ability to enforce security policies per application, authentication only on authorized networks, different policies for BYOD mobile vs. corporate-owned devices, and the ability to monitor and identify risky devices or risky authentication attempts.
Microsoft Authenticator, on the other hand, offers seemingly little to no built-in threat detection or many security features unless the organization and devices are enrolled with Microsoft Intune (the mobile device management package supplied by Microsoft).
One of the biggest advantages to applications like Microsoft Authenticator and Duo Mobile is the ability to log into services without supplying a username and password. This type of login is called passwordless login. Both Duo Mobile and Microsoft Authenticator support this feature; however, the Microsoft solution only works with supported services. Duo’s passwordless feature is available in a preview for apps and services that support Duo SSO (single sign-on) and supported third-party SSO. This feature is not available in the Duo Free plan, however, and only paid users get access to it.
Duo vs. Microsoft Authenticator: Integrations
Built-in integrations for Microsoft Authenticator are as follows:
- Microsoft Azure Active Directory applications
- Microsoft 365 accounts
- Any application or service that uses traditional TOTP 2FA integration can also be added into the application and used to sign into those accounts manually.
Duo Mobile supports an ever growing list of services that can work with it. The following services are capable of working with Duo’s push notification authentication feature out of the box (or can use a backup TOTP code to authenticate as well):
- Akamai Enterprise Application Access
- Appsian Security Platform
- Array AG SSL VPN
- Aruba ClearPass
- Atlassian Confluence
- Atlassian Jira
- Barracuda SSL VPN
- CAS (Central Authentication Service)
- Cisco ASA SSL VPN
- Citrix Gateway (Netscaler)
- Duo Device Management Portal (DMP)
- Duo Access Gateway (DAG)
- Duo Network Gateway (DNG)
- F5 BIG-IP APM
- IBM Resilient
- Juniper SSL VPN
- Microsoft AD FS
- Microsoft Azure Conditional Access
- Microsoft Outlook Web App (OWA)
- Microsoft RD Web
- OPAQ 360
- Oracle Access Manager
- Palo Alto SSO
- Ping Federate
- Pulse Secure SSL VPN
- SonicWall SRA SSL VPN
- Splunk Admin Login
The biggest benefit to Duo Mobile, however, is that integrations are infinitely expandable. Even custom applications can be integrated with Duo Mobile through its SSO or push API.
Duo vs. Microsoft Authenticator: Pricing and availability
Microsoft Authenticator (free; bundled)
Microsoft Authenticator pricing follows a straightforward model of being free and bundled with all Microsoft Azure Active Directory and 365 Business accounts. For a full list of prices and features, visit this guide to determine if Microsoft Authenticator is bundled with your organization’s existing licenses.
Duo Mobile (free; paid tier starting at $3/user/month)
Duo Mobile follows a tiered system based on features and services you’d like added into the application. A free tier allows for up to 10 users, then moves into Duo MFA ($3/user/month; useful if you only wish to add MFA support), Duo Access ($6/user/month; useful if you want monitoring and device trust support), and finally ends up with Duo Beyond ($9/user/month; adds gateway and internal services integrations). There is a detailed chart explaining the various features bundled with the tiers on the Duo Mobile website.
Both Duo Mobile and Microsoft Authenticator are supported on Android and iOS platforms. Push notifications received by both can also be configured to be actionable by the end user to approve sign-ins without needing to open the application as long as they have authenticated on the lock screen of their device or an unlocked Apple Watch or other supported smartwatch.
SEE: Why 2-factor authentication isn’t foolproof (TechRepublic)
Duo vs. Microsoft Authenticator: Which one should you choose?
If your organization is reliant on Microsoft Azure Active Directory or Microsoft 365 products and only those products, then you already have the Microsoft Authenticator for free. This solution is a no-brainer for many organizations who wouldn’t want to require another subscription for all employees, plus another application and enrollment process.
Our pick for best contender in this space however is Duo because it provides a more robust solution, allowing custom application integration as well as integration with popular applications and services like Slack, Atlassian, Dropbox and more. Duo does have a cost associated with it; however we find that the cost is relatively low for a product that allows for so many configuration options. Duo also supports multiple services and is rolling out passwordless authentication, which can ensure that users don’t have to remember their passwords. When users are required to remember them, they often create passwords that are too simple.