How to use DUO to allow for remote users to change their network password?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2023 09:25 AM
We have some contractors that work remotely and they currently use DUO Mobile - Push for a 2nd factor authentication. We are to require the contractors to change their password after X days have passed.
These contractors only work remotely and never come into the office. How can we allow these remote the ability to change their passwords with DUO?
- Labels:
-
Groups
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2023 09:27 AM
I want to say that setting up a new security group for these users and to enable DUO Single Sign on while only allowing specific security groups to use Signle - Sign on may do the trick.
What doe you guys think?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2023 11:20 AM
There are a few different options that would allow a password reset. Would not not want other users besides these contractors to be able to change their passwords remotely?
One is, as you found, to set up Duo SSO with Active Directory and proactive password change, and then restrict access to Duo Central to just permitted groups.
Another option could be available through a VPN configuration. If the VPN allows chained primary and secondary authentication then you could point primary auth to AD and just secondary auth to Duo via RADIUS. When a user’s password expires they could reset it through the VPN directly against AD. An example of that config is here: Duo RADIUS Two-Factor Authentication with Password Reset for Cisco ASA SSL VPNs | Duo Security
