Updated: 08 Apr 2026
There is no shortage of MFA documentation online. What there is a shortage of is plain answers written for a CISO managing 3,000 users across five Indian cities, not a security architect in Atlanta.
This page exists to fix that. Fifty questions we hear regularly from IT heads, CISOs, infrastructure leads, and compliance officers across Indian enterprises. Answered directly, without the marketing fluff.
If your question is not here, write to us. We will add it.
Multi-factor authentication requires a user to prove their identity using two or more independent factors before being granted access to a system. The classic model is something you know (password), something you have (a mobile device or hardware token), and something you are (biometrics). In practice, most enterprise MFA combines a password with a push notification or one-time passcode delivered to a registered device.
It has become non-negotiable because the dominant attack vector for enterprise breaches is no longer network intrusion — it is credential compromise. Passwords are stolen through phishing, purchased from dark web markets after third-party breaches, or extracted through infostealer malware. Once an attacker has your password, a second factor is the only control that stands between them and your environment. Microsoft's own telemetry data indicates MFA blocks over 99% of automated credential attacks. The organisations getting breached in India right now are, with high frequency, ones where MFA was either absent or partially deployed.
Two-factor authentication (2FA) is a subset of MFA that requires exactly two factors. MFA is the broader category — it can mean two factors or more. In enterprise practice, the terms are often used interchangeably, since most deployments use two factors. The distinction matters more when discussing step-up authentication, where additional factors are required for higher-risk actions such as accessing sensitive systems or approving large financial transactions. For most Indian enterprise deployments, when someone says "we have 2FA," they mean they have a password plus one additional factor — usually an SMS OTP or a push notification.
SMS OTP was a significant improvement over passwords alone when it was introduced. It is no longer adequate as a standalone second factor for enterprise access for three reasons.
First, SIM swap attacks. A threat actor convinces a mobile carrier to transfer a victim's number to a SIM card in their possession. All OTPs then go to the attacker. This attack is not sophisticated and is actively used against Indian banking customers and enterprise targets.
Second, SS7 protocol vulnerabilities. The global telephony signalling protocol has known vulnerabilities that allow interception of SMS messages by nation-state actors and well-resourced criminal groups.
Third, real-time phishing. Modern phishing kits capture the OTP as the victim enters it on a fake page and replay it instantly to the real site — within the OTP's validity window. The user sees a convincing login page, enters their credentials and OTP, and the attacker has everything they need in under 30 seconds.
RBI's revised Authentication Directives acknowledge this and are explicitly moving regulated entities towards alternatives. For enterprise access — as distinct from consumer banking transactions — SMS OTP should be considered a legacy control, not a current one.
Phishing-resistant MFA refers to authentication methods that cannot be intercepted or replicated by a phishing attack, even if the user is deceived into visiting a fake site. The two main categories are FIDO2/WebAuthn (which includes passkeys and hardware security keys) and certificate-based authentication. Both work by cryptographically binding the authentication to the legitimate website's domain — meaning that even if a user clicks a perfect replica of their login page, the authentication simply will not complete because the domain does not match.
This is the authentication standard that RBI, SEBI, and CERT-In are moving towards for sensitive system access. It is the standard Cisco Duo supports natively. For Indian enterprises in BFSI, it is becoming a compliance requirement. For all others, it is the technically correct answer to the question "What MFA can we deploy that we will not need to replace in three years?"
MFA fatigue — also called push bombing — is an attack technique where a threat actor who already has a stolen password sends repeated MFA push notification approval requests to the legitimate user. At two in the morning, or during a busy working day, a user who receives ten consecutive push notifications may approve one simply to make the alerts stop. The attacker is then in, and the authentication log shows a legitimate approval. No malware. No exploit. A human made a decision under pressure.
The 2022 Uber breach and the 2023 MGM Resorts breach — which cost MGM over $100 million in operational disruption — were both executed using MFA fatigue against organisations with mature security programmes. The attack doesn't defeat MFA as a concept. It exploits a specific implementation: push notification approval without contextual verification. The fix is MFA that requires the user to match a number displayed on screen before approving — a mechanism that makes silent approval impossible.
MFA is a control — a specific technical mechanism for verifying identity. Zero trust is an architecture — a security operating principle that says no user, device, or network location should be implicitly trusted, and that access to every resource should be verified continuously based on identity, device health, and contextual risk signals.
MFA is necessary for zero trust, but not sufficient on its own. A zero-trust architecture verifies who you are (identity, via MFA), what you are connecting from (device trust — is the device managed, patched, and encrypted?), and whether the request makes sense in context (risk signals — unusual location, unusual time, unusual resource). Cisco Duo is architecturally positioned as a zero-trust access solution because it brings all three factors together: strong authentication, device posture assessment, and adaptive access policies.
Cisco Duo is a cloud-delivered access security platform. Its core function is MFA — verifying user identity with a second factor before granting access to applications, systems, and infrastructure. Beyond MFA, Duo provides device trust (assessing whether the device a user is connecting from meets your security baseline), single sign-on (a unified login experience across cloud and on-premise applications), and adaptive access policies (adjusting authentication requirements based on risk signals such as location, device health, and user behaviour patterns).
Duo protects access to VPN, cloud applications (Microsoft 365, Salesforce, SAP, ServiceNow), on-premise applications, SSH and RDP for infrastructure access, custom applications via API, and the Cisco Secure Access ZTNA platform. It is deployed as a cloud service — no hardware to rack, no on-premise infrastructure required, though an on-premise proxy is available for environments that need it.
They are related but distinct. Cisco Duo is the identity and access security platform — MFA, device trust, SSO, and adaptive access policies. Cisco Secure Access is Cisco's broader ZTNA (Zero Trust Network Access) and SSE (Security Service Edge) platform, which includes network-level zero trust, SWG (Secure Web Gateway), CASB (Cloud Access Security Broker), and DNS-layer security.
Duo is a core component of Cisco Secure Access and is the identity enforcement layer within it. If you are deploying Cisco Secure Access, you are deploying Duo as part of it. If you are deploying Duo standalone, you are deploying the identity and MFA layer without the broader network security stack. Most Indian mid-market deployments start with Duo standalone and add Cisco Secure Access capabilities as zero trust maturity grows.
Duo Mobile is the authenticator application installed on a user's smartphone that handles push notification approvals, generates TOTP codes, and stores passkeys. It is available for iOS and Android. When a user logs in to a protected application, Duo sends a push notification to their registered Duo Mobile app. The user reviews the request — including login location, device, and application — and approves or denies it. Verified Push (the phishing-resistant version) additionally requires the user to enter a number displayed on the login screen before the approval completes.
Duo supports a broad range of second factors to accommodate different user populations and security requirements:
Duo Push — push notification to the Duo Mobile app (standard and Verified Push) TOTP (Time-based One-Time Passcode) — generated in Duo Mobile or any TOTP-compatible authenticator FIDO2/WebAuthn — hardware security keys (YubiKey, etc.) and passkeys stored in Duo Mobile or platform authenticators Biometrics — Touch ID, Face ID, Windows Hello via FIDO2 SMS OTP — available but not recommended for high-security access; can be disabled by policy Hardware tokens — for users without smartphones (factory floor operators, shared workstations) Phone callback — for legacy users; not recommended as primary factor
For most Indian enterprise deployments, Duo Push is the default, Verified Push is the recommended upgrade, and FIDO2 is the target for the highest-security access.
Verified Push is Duo's implementation of number-matching MFA. When a user attempts to log in, a three-digit number is displayed on the login screen. The user opens Duo Mobile and must enter that same number before the push approval completes. This single addition eliminates MFA fatigue attacks entirely — a push sent by an attacker to a user who is not currently logging in will not display a matching number, and the user cannot approve it without the number.
Cisco made Verified Push the default for all Duo deployments in 2023. It adds approximately two seconds to the login experience. For Indian enterprises still running standard push approvals, enabling Verified Push is a zero-cost security upgrade that eliminates one of the most common breach vectors in use today.
Yes. For user populations that cannot or should not use smartphones — factory floor operators working with machinery, field technicians in restricted environments, shared workstation users in manufacturing or healthcare — Duo supports OATH-compatible hardware tokens that generate TOTP codes. These function identically to the Duo Mobile TOTP function, but without a smartphone. Hardware tokens are also appropriate for highly privileged accounts where additional assurance is required beyond a mobile app.
Cisco Duo is licensed per user, per year, on a subscription basis. Unlike Meraki's co-termination model, Duo licensing is per-user — you pay for a defined number of active users and renew annually. Users are counted based on those who have authenticated through Duo at least once in a given period; guest or occasional users can be handled through policies that don't consume permanent licences.
In India, Duo is purchased through Cisco's authorised partner channel. Pricing is in US dollars but invoiced in INR at the prevailing exchange rate at the time of purchase. Three-year terms are available and offer meaningfully better per-user per-year economics than annual. For any serious deployment, request a formal commercial proposal through a Cisco Preferred Security Partner who can structure the right tier and term.
Cisco Duo currently offers three tiers:
Duo Essentials — MFA for any application, Duo Push, TOTP, and basic device visibility. Entry point for organisations starting their MFA journey. Does not include device trust enforcement or SSO.
Duo Advantage — adds adaptive authentication policies, device health checks (is the device encrypted? is the OS current? is endpoint protection active?), risk-based authentication, and the ability to block access from non-compliant devices. This is the recommended baseline for Indian enterprises deploying MFA seriously.
Duo Premier — adds full Duo SSO, passwordless authentication, advanced trusted endpoints with certificate-based device trust, and the deepest integration with Cisco's broader security stack. Appropriate for organisations deploying zero trust access architecture or integrating with Cisco Secure Access.
For most Indian mid-market deployments, Duo Advantage is the right tier. Duo Essentials leaves device trust and adaptive access off the table — which means you have strong identity verification but no assurance about what devices are connecting. That gap is how attackers with stolen credentials on unmanaged personal devices get through.
There is a Duo Free tier that covers up to ten users. It includes Duo Push, TOTP, and basic MFA for any application. It is appropriate for small teams or for proof-of-concept evaluation. It is not appropriate for enterprise deployment — it lacks device trust, adaptive policies, and the management capabilities needed to govern access across hundreds or thousands of users. Any Indian enterprise deploying Duo seriously should be on Essentials minimum and Advantage for full value.
Duo counts active users — those who have logged in through Duo at least once within the billing period. If you have 500 employees but only 400 regularly access systems protected by Duo in a given month, you are consuming approximately 400 user licences. Service accounts, machine-to-machine authentication, and API integrations are typically handled differently and should be discussed with your Cisco partner to ensure correct licence sizing.
For organisations with high staff turnover — common in BFSI and IT/ITeS in India — Duo's model means licences from departed employees can be de-provisioned and reallocated. User management integrates with Active Directory and Azure AD via Duo's directory sync, so provisioning and de-provisioning can be automated rather than manually managed.
Cisco does not publish retail pricing, and INR pricing fluctuates with exchange rates. As a directional reference for budgeting purposes only (formal pricing requires a commercial proposal):
Duo Essentials: approximately $3–4 per user per month at list price.
Duo Advantage: approximately $6–9 per user per month at list price.
Duo Premier: approximately $9–12 per user per month at list price.
Volume discounts apply from 500 users upwards and are significant at 1,000+ users. Multi-year terms reduce per-user cost meaningfully. For an Indian enterprise deploying Duo Advantage across 1,000 users on a three-year term, a budget in the range of Rs 1.5–2.5 crore total, subject to a formal quote. This number changes with exchange rates and volume — treat it as an order-of-magnitude reference, not a quote.
Effectively, any application that supports modern authentication protocols, plus many that don't, through Duo's proxy capabilities. The main categories:
VPN — Cisco AnyConnect/Secure Client, Palo Alto GlobalProtect, Fortinet FortiGate, Check Point, Pulse Secure, and others Cloud applications — Microsoft 365, Google Workspace, Salesforce, SAP, ServiceNow, Workday, AWS, Azure, GCP On-premise applications — any application supporting RADIUS, LDAP, SAML, or OIDC Remote access — RDP (Windows Remote Desktop), SSH (Linux servers and network infrastructure) Custom applications — via Duo's API for applications built in-house Network infrastructure — Cisco routers, switches, and firewalls for admin access
For legacy applications without modern authentication support, Duo's Authentication Proxy acts as a bridge — it sits between the application and your directory, adding MFA without requiring application changes.
Duo integrates with Active Directory via two mechanisms. The first is directory synchronisation — Duo syncs user accounts from AD automatically, so new user accounts appear in Duo when they are created in AD, and disabled accounts are reflected in Duo without manual intervention. The second is the Authentication Proxy — a lightweight Windows service deployed on a server in your environment that allows Duo to intercept RADIUS and LDAP authentication requests from applications that authenticate against AD, adding a second factor without modifying the applications themselves.
For most Indian enterprises running Windows-centric environments, the Authentication Proxy is the workhorse of a Duo deployment. It protects the VPN, the on-premise applications, and the network infrastructure without requiring application changes or cloud dependency on the authentication path.
Duo integrates with Microsoft 365 and Azure AD via SAML federation or as an external MFA provider through Azure AD Conditional Access. In the SAML integration, Duo becomes the identity broker — users authenticate to Duo before being passed to Microsoft. In the Conditional Access integration, Azure AD enforces a Duo MFA requirement as one of its access conditions.
The second approach is more common in Indian enterprises already running Azure AD Premium, as it allows Cisco Duo's device trust and adaptive policies to layer on top of Microsoft's native Conditional Access framework. The practical outcome: Microsoft handles identity. Duo handles device trust and contextual MFA enforcement. Both are better together than either is alone.
Yes. This is one of Duo's most important capabilities for Indian enterprises still running significant on-premise infrastructure — ERP systems, core banking applications, HR platforms, legacy line-of-business applications. The Duo Authentication Proxy runs in your environment and intercepts authentication traffic from these applications. The proxy communicates with the Duo cloud to complete the MFA step, then returns the result to the application. The application sees a standard authentication response. No application changes are required.
The only on-premise applications Duo cannot protect this way are those that use proprietary authentication mechanisms with no RADIUS, LDAP, or SAML support — typically very legacy or custom-built systems. For these, Duo's API integration capability allows developers to embed Duo directly into the application login flow.
For a straightforward deployment — Microsoft 365, VPN, and Active Directory sync — a competent Cisco partner can have Duo operational in two to four weeks. This includes licence provisioning, directory synchronisation, user enrolment campaign, and MFA enforcement.
For a complex enterprise deployment covering 20+ applications, legacy on-premise systems, and multiple geographic locations across India, budget eight to twelve weeks. The technical work is typically straightforward — the time is consumed by application inventory, testing in non-production environments, user enrolment at scale, and helpdesk preparation for the first wave of user questions. The enrolment campaign — getting users to register their devices — is almost always the critical path.
When Duo is deployed, existing users must register their device as the second factor before they can authenticate. Duo's enrolment process is self-service: users receive an email with an enrolment link, click through, install Duo Mobile if needed, and register their device in approximately three minutes. Duo supports bulk enrolment via Active Directory sync, meaning you can send enrolment invitations to your entire user base simultaneously rather than processing users one by one.
For large Indian enterprises rolling out Duo to 1,000+ users, a phased enrolment approach works best: start with IT and security teams, then senior management, then department by department. Run a parallel helpdesk line for the first two weeks of each phase. The volume of support calls drops to near-zero within a week of each wave completing.
When a user loses or replaces their phone, they go through a re-enrolment process — the new device is registered as the second factor, and the old device is removed from their Duo profile by an administrator. The standard flow requires an administrator to generate a bypass code or re-enrolment link for the affected user, who then self-registers the new device.
For enterprises, this process should be embedded in the IT helpdesk workflow — specifically in the onboarding/offboarding process and the "lost device" ticket resolution path. Duo's admin console allows administrators to generate temporary access codes for users locked out while transitioning devices. The process takes approximately five minutes for a prepared helpdesk team.
Yes, with configuration. Duo Mobile generates TOTP codes that work without network connectivity. If a user has no mobile signal but has the Duo Mobile app installed, they can select "enter a passcode" at the authentication prompt and use the code generated offline by the app. This functions identically to Google Authenticator or Microsoft Authenticator's offline TOTP mode.
For environments where users regularly work in areas with no connectivity — underground facilities, remote sites, manufacturing environments with RF restrictions — configuring offline TOTP as the fallback factor is the correct approach. Hardware tokens are the appropriate solution where even smartphones are not permitted.
Device trust is Duo's capability to assess the security posture of the device a user is connecting from before granting access, not just the user's identity. In practice, this means Duo checks — at every authentication — whether the device is running a current OS, whether it is encrypted, whether an active endpoint protection solution is present, whether it is enrolled in your MDM, and whether it has been jailbroken or rooted (for mobile devices).
The outcome is that you can write access policies that say "this user may access the ERP system only from a managed, encrypted device running Windows 11 with an active endpoint agent." A user with valid credentials attempting to log in from a personal laptop that fails these checks is blocked, regardless of whether their second factor is correct. This is the layer that separates Duo Advantage from basic MFA — identity verification alone does not tell you whether the device is compromised.
No. Duo can assess device posture independently of MDM, using the Duo Device Health application — a lightweight client installed on managed devices that reports security status directly to Duo. This is important for Indian enterprises that do not have MDM deployed (which is common in mid-market organisations) — they can still enforce device health checks through Duo without first deploying a full MDM solution.
For organisations that do have MDM (Intune, Jamf, MobileIron), Duo integrates with MDM management status as an additional trust signal — devices enrolled in MDM get higher trust than those that are not, and access policies can differentiate between the two.
A Trusted Endpoint is a device that has been positively identified as a managed, corporate-issued device through a cryptographic certificate or MDM enrolment record. Unlike device health checks (which assess posture — is the OS current? is encryption on?) Trusted Endpoint goes further — it verifies that this is a specific device your organisation controls, not just a device that happens to meet the health requirements.
Trusted Endpoints require either Duo Premier licensing or integration with your existing MDM and certificate infrastructure. For organisations with critical-access systems — finance systems, HR platforms, privileged infrastructure — Trusted Endpoint adds the assurance that only designated corporate devices can ever authenticate, regardless of whether credentials and device health are otherwise satisfied.
Yes. This is an access policy decision. Duo can be configured to deny authentication from any device that is not enrolled in your MDM or does not hold a valid corporate certificate. Users attempting to log in from personal devices are blocked at the authentication step with a configurable message — typically directing them to contact IT if they believe this is an error.
For organisations with clear BYOD policies or high-data-sensitivity environments, complete blocking of unmanaged device access is straightforward to implement in Duo Advantage and Premier.
Adaptive authentication means Duo adjusts what it requires at login based on the risk profile of the request. Low-risk access — a known user, from a managed corporate laptop, in their usual city, during business hours — may require only a push approval. Higher-risk access — the same user, from an unknown device, from a new geography, outside business hours — triggers a step-up: additional verification, FIDO2 key, or an administrator alert. Extreme-risk signals — a recognised compromised device or an impossible travel event (login from Mumbai at 9 AM and from London at 11 AM) — can trigger automatic access denial and an alert to the security team.
For Indian enterprises, adaptive policies are valuable because they reduce friction for normal access while raising the bar precisely at the moments that matter. A CISO who deploys adaptive policies correctly gets stronger security and fewer helpdesk calls simultaneously.
Yes, directly. RBI's Master Direction on IT Governance, Risk, Controls and Assurance Practices and its revised Authentication Directives require regulated entities — banks, NBFCs, payment system operators — to implement robust multi-factor authentication for access to critical systems and sensitive data. RBI's directives are specifically moving away from SMS OTP towards more secure second factors.
Duo addresses RBI's requirements on several fronts: strong MFA for user access to core banking and payment systems, access logging with full audit trails of every authentication event, device trust to ensure access from managed devices only, and adaptive policies that enforce higher assurance for privileged access. For NBFCs preparing for RBI inspections, Duo's compliance reporting module generates authentication logs in formats that directly support audit evidence.
The Digital Personal Data Protection Act 2023 requires data fiduciaries to implement "reasonable security safeguards" for personal data. While the Act does not name MFA specifically, RBI, SEBI, and CERT-In have all issued guidance that makes MFA a baseline expectation for systems handling personal data. In any post-breach assessment under the DPDP Act, the absence of MFA on systems that hold personal data will be a significant negative finding.
Cisco Duo also supports DPDP compliance on the access governance dimension: every authentication event is logged with user, device, application, location, and outcome. This audit trail is the evidentiary backbone of demonstrating that access to personal data was controlled and monitored, which is what "reasonable security safeguards" requires in practice.
SEBI's CSCRF, which applies to all SEBI-regulated entities — brokerages, AMCs, depositories, exchanges — requires strong access controls, privileged access management, and multi-factor authentication for access to critical systems and sensitive market data. Duo's MFA, device trust, and access policy capabilities directly address the authentication and access control requirements within CSCRF. Duo's audit logs and compliance reports provide the evidence trail required for SEBI inspections and incident reporting.
CERT-In's cybersecurity directives require organisations to maintain logs of all authentication events for a minimum period and to report incidents within defined timeframes. Duo's authentication logs capture every event — successful and failed authentications, devices used, locations, applications accessed — and can be exported to SIEM platforms including Cisco Splunk, Microsoft Sentinel, and IBM QRadar for centralised retention and analysis. This directly satisfies the logging requirements in CERT-In's directives.
Both SOC 2 and ISO 27001 require documented access controls, evidence of MFA implementation, and audit trails for access to sensitive systems. Duo's deployment provides the technical control (MFA enforced on all protected applications), the evidence (complete authentication logs), and the reporting capability (Duo's admin console exports reports by user, application, time range, and authentication result). For Indian GCCs under pressure from global parent companies to demonstrate SOC 2 or ISO 27001 compliance, a correctly deployed and documented Duo implementation satisfies the access control requirements across both frameworks.
RBI's revised directives require all regulated entities to implement flexible, risk-based authentication that moves beyond static SMS OTP for access to sensitive systems. For NBFCs, the practical implication is that SMS OTP as the sole second factor for employee access to core systems, payment authorisation workflows, and customer data platforms is no longer sufficient. The directive requires MFA that is proportionate to the risk of the access, meaning higher-risk operations require stronger factors.
Cisco Duo addresses this directly through its adaptive access policies: low-risk access can use standard push, high-risk operations can require FIDO2 or Verified Push, and every access decision is logged for audit purposes. NBFCs that have not yet moved beyond SMS OTP should treat the April 2026 deadline as a project start date, not a project end date — the enrolment, testing, and change management required for a proper deployment takes time.
Initially, briefly, yes — the first two to four weeks of any MFA rollout generate a wave of device enrolment questions and "I didn't get the push" calls. After this initial period, the opposite typically happens. Organisations that deploy Duo correctly and pair it with SSO (single sign-on) see significant reductions in helpdesk call volumes, because users authenticate once per session rather than repeatedly to individual applications. A manufacturing firm in Pune that deployed Duo across 800 users reported that helpdesk calls related to authentication dropped from over 200 per month to under 20 within 90 days of completing the rollout.
This is one of the most common deployment questions from Indian manufacturing clients, and it has a clean answer. Duo supports shared workstation environments through a combination of hardware tokens (OATH TOTP devices that generate codes without a smartphone), kiosk-mode configurations (where individual users authenticate with their credentials plus their token before accessing their session), and device-level trust (where the shared workstation itself is a Trusted Endpoint and individual user sessions are time-bounded).
For operators who cannot carry personal devices on the floor, hardware tokens are the appropriate second factor. They are durable, require no connectivity, and generate a unique code per user per 30-second window. The cost per token is manageable, and they do not require ongoing per-device maintenance beyond battery replacement.
Duo is architected for high availability with redundant infrastructure and SLAs. In the event of a Duo cloud outage, the behaviour depends on your configured fail-open or fail-close policy.
Fail-open: users can authenticate with their primary factor (password) only during the outage. Access is maintained but the second factor is temporarily absent. Appropriate for business-continuity-sensitive environments.
Fail-close: authentication is denied during the outage. More secure, but carries operational risk if connectivity to Duo cloud is interrupted. Appropriate for very high-security environments.
For most Indian enterprises, a fail-open policy with alerting is appropriate — the outage window is brief, and the operational risk of blocking all access outweighs the security risk of a temporary single-factor window. Duo's historical availability has been consistently above 99.99% — outages measured in minutes per year.
Contractor and third-party vendor access is one of the most significant unmanaged risk areas in Indian enterprise environments. Active Directory accounts are often not properly de-provisioned, vendor access persists beyond project completion, and there is no standard second factor requirement for non-employee access.
Duo handles this through its guest user flow: contractors authenticate with their existing credentials (even non-corporate email-based accounts, via Duo's SSO), and Duo enforces the same MFA and device trust requirements as for employees. Access policies can be more restrictive for contractor user groups — limited to specific applications, time-bounded sessions, and alerts on unusual access patterns. Combined with a formal access review process and AD de-provisioning discipline, this closes the third-party access gap that is the entry point for many Indian enterprise breaches.
This is the most common comparison in Indian enterprise evaluations, and the honest answer is: it depends on your environment.
Microsoft Authenticator is the right choice if your entire application estate is Microsoft — Microsoft 365, Azure AD-integrated SaaS applications, and nothing else. It is included in Microsoft 365 licensing, meaning the marginal cost of deployment is effectively zero for an organisation already paying for Microsoft 365 Business Premium or E3/E5.
Cisco Duo is the right choice if your environment is mixed — if you have non-Microsoft cloud applications, on-premise applications, VPN infrastructure from Cisco, Palo Alto, or Fortinet, Linux servers accessible via SSH, and legacy systems authenticating via RADIUS or LDAP. Duo's application coverage is broader than Microsoft Authenticator's by a significant margin, its device trust capabilities work across non-Windows and non-Microsoft-enrolled devices, and its access policies are not limited to what Azure Conditional Access can express.
The practical test: map your application estate. If more than 20% of your applications are not natively Azure AD-integrated, Microsoft Authenticator alone will leave gaps. Those gaps are where attackers go.
Okta is a full-stack IAM platform — identity lifecycle management, user provisioning, governance, and MFA in an integrated suite. Duo is a focused access security platform — MFA, device trust, adaptive access — that integrates with your existing identity infrastructure rather than replacing it.
The practical difference for Indian mid-market enterprises: Okta is the right choice if you are also looking to replace or augment your identity governance, user lifecycle management, and HR system integration — in other words, if you are solving an identity management problem at the same time as an MFA problem. It is more expensive and more complex to deploy, but it delivers more if that breadth is what you need.
Duo is the right choice if your primary problem is access security — strong MFA, device trust, and adaptive policies — and you want to bolt this onto your existing Active Directory and application infrastructure without a platform replacement. Duo deploys faster, is less expensive at comparable user counts, and has broader application coverage for the mixed-environment reality of most Indian enterprises.
For BFSI organisations under RBI pressure with a defined compliance deadline, Duo is almost always the faster path to compliance.
ManageEngine ADSelfService Plus is a password management and MFA solution from an Indian vendor (Zoho), popular in the Indian mid-market for its INR pricing and local support. It provides MFA for Windows login, Active Directory, VPN, and some cloud applications, as well as self-service password reset functionality.
For organisations whose primary requirement is Windows workstation MFA and self-service password reset with a modest budget, ADSelfService Plus is a credible option that should be on the evaluation list. Where it falls short relative to Duo: application coverage is narrower (fewer pre-built integrations for enterprise SaaS), device trust capabilities are less mature, and the adaptive access policy engine is less sophisticated. For a 200-person company protecting primarily on-premise Windows infrastructure, ManageEngine may be sufficient. For a 1,000-person company with a mixed cloud/on-premise estate, an RBI compliance requirement, and a GCC in Bengaluru under SOC 2 pressure, Duo is the appropriate enterprise-grade choice.
Microsoft Entra ID Premium P2 includes Microsoft Authenticator MFA, Conditional Access, and Identity Protection (risk-based access). For a pure Microsoft environment, this is a strong capability set. The gaps that Duo fills even when Entra P2 is present:
Device trust beyond Windows: Entra's device compliance checks are strongest for Intune-enrolled Windows and iOS/Android devices. Duo's device health app extends posture assessment to non-Intune-enrolled devices and Linux endpoints — relevant for engineering teams and development environments.
Non-Azure-integrated applications: Duo's RADIUS proxy covers applications that Entra cannot reach — legacy VPN, on-premise applications without SAML support, network infrastructure.
Application-level MFA policy granularity: Duo allows per-application access policies at a level of granularity that Conditional Access cannot match for non-Microsoft applications.
The decision rule: if you have Entra P2 and your environment is predominantly Microsoft, your additional coverage gap from deploying Duo narrows. If you have significant non-Microsoft infrastructure, Duo adds meaningful protection that Entra P2 does not cover.
miniOrange is an Indian MFA and IAM vendor with INR pricing, local support, and broad protocol coverage. It is a credible option for Indian organisations in the 100–500 user range with budget constraints. Key considerations when comparing to Duo:
Enterprise scale: Duo is purpose-built for enterprise scale — it handles complex policy inheritance, large directory syncs, and high authentication volumes without configuration complexity growing proportionally. miniOrange is more commonly deployed in smaller or mid-market environments.
Global threat intelligence: Duo benefits from Cisco's Talos threat intelligence — one of the world's largest commercial threat intelligence operations. Risk signals in Duo's adaptive access policies are informed by real-time global threat data. miniOrange does not have a comparable threat intelligence integration.
Support and accountability: For regulated Indian enterprises that will present vendor credentials to RBI, SEBI, or an ISO auditor, Cisco's enterprise support model and compliance documentation are typically more acceptable than that of a smaller vendor.
For organisations under regulatory pressure, with complex hybrid environments, or at enterprise scale, Duo is the stronger choice. For a 200-person company that needs basic MFA on a constrained budget, miniOrange merits evaluation.
Five patterns we see repeatedly across Indian deployments:
First, partial deployment. MFA is enabled on Microsoft 365 and the primary VPN. The on-premise ERP, the HR system, and the development infrastructure remain on passwords alone. Attackers find the unprotected application. The illusion of coverage is more dangerous than acknowledged absence.
Second, not enabling Verified Push. Standard push approval is deployed, Verified Push is available at no extra cost, and it is not enabled. MFA fatigue attacks succeed on a standard push. They cannot succeed on Verified Push.
Third, excluding contractors and third-party vendors. Employee MFA is complete. Contractor accounts remain on single-factor authentication with access to the same systems. A contractor whose credentials are compromised is a fully privileged entry point.
Fourth, no access review process. Duo is deployed, users are enrolled, and the administrator console is reviewed infrequently. Former employees, contractor accounts, and test accounts remain active. The departure process does not include Duo de-provisioning as a mandatory step.
Fifth, treating deployment as completion. MFA is live. The CISO reports to the board that MFA is deployed. Application inventory is never updated. New applications are brought online over the following twelve months without Duo protection. The coverage gap widens quietly.
MFA rollouts generate user friction and resistance when they are communicated poorly and acceptance when they are communicated well. The key is explaining the why before the how.
A communication that says "starting Monday, you will need to approve a push notification every time you log in" will generate complaints. A communication that says "our security team has identified credential theft as the highest-risk attack against our systems — this is the control that stops it, it takes three seconds to use, and here is a five-minute guide to setting it up" generates very different responses.
Send enrolment instructions at least one week before enforcement. Provide a brief explainer video. Set up a temporary helpdesk extension for the first two weeks. Acknowledge the friction directly — "this adds approximately five seconds to your login" — rather than pretending it does not exist. The organisations that do this well report almost no change management friction. The organisations that do not, spend the first month managing complaints rather than improving their security posture.
A realistic deployment timeline for 1,500 users across five locations:
Weeks 1–2: Application inventory. Map every application and system that requires authentication. Identify owners for each. This is always the activity that reveals gaps — applications the IT team was unaware of, shadow IT, vendor-managed systems.
Weeks 3–4: Technical configuration. Directory sync, Authentication Proxy deployment, and initial application integrations. Pilot group of 20–30 IT staff.
Weeks 5–6: Pilot expansion to 100 users. Test all application integrations. Document helpdesk procedures. Finalise access policies.
Weeks 7–10: Phased rollout by department. 300–400 users per wave. Enforce MFA on a grace period — push sent but access not blocked — for two weeks per wave before hard enforcement.
Weeks 11–12: Hard enforcement for all users. Legacy accounts and exceptions documented and reviewed. Compliance reporting baseline established.
Week 13: Post-deployment review. Authentication success rate, helpdesk call volume, device trust coverage percentage, and any application gaps identified during rollout.
Steady-state Duo administration is not operationally intensive for a correctly deployed environment. The core ongoing tasks: user provisioning and de-provisioning (ideally automated via AD sync), access policy review quarterly, device trust threshold review as OS versions change, application coverage review as new applications are onboarded, and authentication log review for anomalous patterns.
A well-configured Duo environment for a 1,000-user organisation requires approximately two to four hours of administrator time per week in steady state, excluding incident response. The majority of this is de-provisioning former users — which is a process problem as much as a Duo problem, and is best addressed by embedding Duo de-provisioning in the HR offboarding workflow rather than treating it as a separate security task.
Start with three decisions, in this order.
First: scope. What does "MFA in place" mean to your RBI inspector? At a minimum, it means MFA enforced on every system that accesses customer data, payment infrastructure, and sensitive financial data. Map these systems before you do anything else. The temptation is to start with what is technically easy — Microsoft 365 — rather than what is regulatorily necessary. These may not be the same list.
Second: architecture. A 5,000-user environment across five cities with mixed Microsoft, on-premise, and cloud applications needs Duo Advantage at minimum — device trust and adaptive policies are not optional at this scale. Verify your directory infrastructure is ready for Duo sync (AD is clean, accounts are accurate, joiners/movers/leavers processes are documented). Any surprises in the AD will surface as surprises in the Duo deployment.
Third: sequencing. Protect the highest-risk applications first — VPN, core banking access, payment authorisation, privileged admin access. Get these live and enforced within the first 30 days. Protect the broader application estate in the following 60 days. This sequencing means you can demonstrate meaningful MFA coverage to an RBI inspector on a shorter timeline, while the full deployment completes in parallel.
A Cisco Preferred Security Partner who has done this before can assess your environment and give you a deployment plan with realistic timelines in the first meeting. The worst thing you can do with a regulatory deadline is treat it as a project start date.
Proactive Data Systems has been deploying enterprise IT infrastructure and security solutions across India since 1991. We are a Cisco Preferred Partner — one of fewer than a handful in India to hold the Preferred designation across Security, Networking, Collaboration, Cloud & AI, and services.
Have a question that is not on this list? Write to us at [email protected].
We'll get back to you shortly.
