InCommon Duo Security FAQ

Licensing and Pricing

I'd like to take Duo for a test drive before signing up for a site-wide license. How can I do that?

Anyone can directly sign up for the Duo Security Personal plan, which allows for up to ten users at no cost. This is perfect for limited testing and evaluation purposes.

Do I need to be an InCommon participant to sign up for Duo?

Yes, to sign up for a Duo site license through InCommon, you must be an InCommon participant. You are not required to take advantage of any other InCommon program (Federation, Certificates, or Assurance), but you do need to join InCommon.

My institution is an Internet2 member. Do we qualify for the InCommon Duo program?

Being an Internet2 member gives you a 10% discount on the cost of a Duo site license, but you also need to be an InCommon participant to sign up for Duo. The InCommon Participation Agreement is key to the administration of this program.

Do I have to be a member of Internet2 to participate in the InCommon Duo program?

No, you are not required to be an Internet2 member to sign up for Duo, but Internet2 members receive a discount when they sign up for a Duo site license.

Only part of our campus wants Duo. Can we license just a subset of our campus community?

There is no option for licensing Duo for a particular subset of your campus (such as your School of Law) or for a particular type of user (such as administrative users). The Duo licensing program is a campus-wide site license, so in general, most schools have a choice of two options:

  1. All university faculty and staff (excluding hospital staff)
  2. All university faculty, staff and students (excluding hospital staff)

The fee in each case will vary with the size (based on IPEDS student count) of your school.

A university with an associated hospital can purchase a license supplement to cover hospital staff, with the additional fee scaled to the hospital's bed count.

See the Duo rate card for pricing details.

The Duo rate card talks about "telephony credits." What are those?

Duo provides a wide range of options when it comes to authenticating a user login. We expect that most Duo users will prefer to use either Duo Mobile or Duo Push, neither of which consume any telephony credits and can be used without limit.

Duo also supports two-factor login via other methods, such as automated voice calls or SMS messages. Duo incurs a small marginal cost when an automated voice call is made (long distance telephone charges) or an SMS message needs to be sent (SMS charges), with the exact amount depending on the source and destination of the call or message. Telephony credits are the way that Duo ensures those marginal costs don't get out of control. Telephony credits are purchased in advance as a non-expiring credit in a pool that covers all user accounts at a site. In the United States, voice calls for login confirmation incur a two (2) credit charge; SMS messages for login confirmation cost one (1) credit in the US. Rate cards for other countries are available.

Telephony credits are purchased directly from Duo after you have enrolled in the program.

Could we align our Duo subscription date with the date of other InCommon billings?

Unfortunately, we cannot arrange that your Duo subscription align with your InCommon annual fee (all InCommon annual fees are due January 1, while the Duo subscription date depends on when you first signed up for Duo).

Deployment

What's the difference between Duo Mobile and Duo Push?

Duo Mobile is a mobile application for smartphones that generates a one-time password (i.e., a secret, random-looking number on the user's smartphone), which the user then types into the application that requires authentication. Duo Push is a special feature of the Duo Mobile application that uses mobile push services to authenticate the user right on the smartphone, without the need to type the one-time password into the application.

What platforms does the Duo Mobile app run on? What about Duo Push?

The Duo Mobile app runs on the following platforms:

  • Google Android
  • Apple iPhone
  • RIM BlackBerry
  • Java J2ME
  • Palm WebOS
  • Symbian OS
  • Windows Mobile

Duo Push, which is a special feature of the Duo Mobile app, is available on Google Android, Apple iPhone, and RIM BlackBerry only.

What if a user does not have a smart phone?

A variety of options exist to accommodate users without smart phones:

  • An ordinary mobile phone (not a smart phone), or even a traditional desktop phone, can be used to authenticate with Duo.
  • If the user doesn't have any phone, the institution can elect to purchase a traditional hard cryptographic one-time password token for that user at $20/token, or the school may want to consider an inexpensive prepaid basic cell phone for this purpose.
  • Finally, if the person without a phone is just a regular user (i.e., not a user with special privileges or access to sensitive data), yet another option would be to selectively disable use of Duo for that user.

On the server side, is Duo deployed at the IdP or the SP?

Actually, you can choose how best to deploy Duo in your environment. At the SP, Duo Web supports client libraries for Python, Ruby, Classic ASP, ASP.NET, Java, PHP, Node.js, ColdFusion, and Perl. At the IdP, Duo provides a custom login handler for Shibboleth IdP 2.3.5.

What services can be secured with Duo? Will it work for the web? Our SSL VPN? What about shell access to Unix hosts?

Duo integrates with virtually all popular web applications, SSL VPNs, and Unix applications. See the Duo solutions and documentation pages on their web site for details.

Miscellaneous

Our campus is committed to open source software, particularly for security-related applications. Can we see the source code for Duo?

Yes, the Duo source code is available on GitHub.

  • No labels