Historically, I have had a long history with VMware Identity Manager a.k.a. Workspace ONE Access. Whether you refer to my podcast with Brian and Gabe or my very popular VMworld 2018 Session, I have been an expert for several years with VMware’s IAM product. We have long been awaiting the Duo Mobile API integration, which as far as I am concerned does not disappoint. Let’s talk about why it matters, cover the integration, and enjoy a short demo on the user experience.
Isn’t RADIUS good enough?
The answer is not really. We have a number of great features that the Duo API integration buys us that people have been waiting for a long time. Let’s cover the different options:
- Prompt New Users to Enroll
- Block unenrolled users
- Controlling access based on geolocation (one of the top reasons that people buy Duo)
- Trusted Endpoints (I wish I could demo this but its part of Duo Beyond)
- Device Health Integration
There are plenty of other features that are duplications of Workspace ONE like enforcement based on OS and OS versions, which could be useful also if you have an application that you don’t want to allow external access to on Android as an example. The benefits overall of the Duo API integration are quite significant and luckily very easy to setup.
Setting up Duo Mobile Integration on Workspace ONE Access
I was pleasantly surprised by how easy it was to setup Duo in Workspace ONE Access. I’ve setup a few RADIUS connectors over the years, which can be a long process, but the Duo setup was relatively simple. I have to credit Steve’s article to helping me check my work since there isn’t anything from VMware that I have seen on setting this up so far. You can watch the short video below, which shows you how super simple it is to setup.
With the setup complete, we will be moving onto the usability demo, which will show you what the user experience is like and can be like depending how you set things up. I’m not getting too crazy, but you can certainly take a shot at seeing how far you can take things to deliver a special experience.
The Workspace ONE Access User Experience with Duo MFA
We will look at this first video demo, which show you what an uncustomized out of the box experience looks like with the Duo integration. Let’s see if it pops and makes us feel happy.
Well, that wasn’t too bad, but I think we can do better than this. We have some nice things that we can do, which you can read about in this Duo KB Article. It only takes a few minutes and you can drastically improve the UI. Let’s see if we can now deliver a solid user experience.
Well, that was definitely an improvement. With some branding and configuration, we made the user experience much better in just a few minutes. The brillance of Duo is you are delivering a ton of security under the covers and people don’t even realize it. Security through obscurity only works when its invisible and seamless.
Today, we covered something that I was starting to think would never happen. We have been clamoring for this functionality for years. Now, we can finally justify spending money on Duo instead of just using the Intelligent Hub/VMware Verify. Geolocation, device health, and many other policy features help us tell the “Zero Trust” story in a relatively cost effective way without needing to write code or put much effort into securing our endpoints and perimeters.