Duo Reset: How to Reset Cisco Duo MFA

Nametag Team
Nametag console showing a successful verification result

Enable Self-Service Account Recovery

Nametag sends MFA and password resets to self-service while protecting your helpdesk against social engineering.

Cisco Duo is a multi-factor authentication (MFA) solution that generates one-time passcodes and receives push notifications. Companies use Duo to add an additional layer of security to their users’ accounts. Unfortunately, if you need to reset your Duo app (for example because you changed phones), the process is usually long, frustrating, and insecure. Here's how to do it using the default options provided by Cisco Duo, and a better way to do it with Nametag.

Duo MFA Reset with Default Options

If you lose or upgrade your phone, or otherwise lose access to your Duo app, you’ll need to reset it. To do this, Duo offers three default options that admins can choose to enable:

  1. Contact IT support to do it for you
  2. Duo Restore, which backs up to iCloud keychain (iOS) or Google Drive (Android)
  3. Duo’s self-service reset portal, which uses outdated verification methods

Unfortunately, all of these options can be frustrating for users and potentially easy for bad actors to exploit.

Helpdesk tickets: Making users contact IT to reset their Duo account is frustrating for everyone, and adds a significant risk of social engineering. How does a support agent know that the person they’re talking with is a legitimate user trying to regain access to their Duo account, or a bad actor trying to take over that account to nefarious ends?

Duo Restore: Duo has a feature which backs itself up to a user’s iCloud keychain (iOS) or Google Drive (Android), enabling account recovery when a user changes devices. However, this requires a user to have already enabled the feature beforehand––if they didn’t, they’re simply out of luck. In addition, the Cisco community forums are filled with posts from users who are confused and overwhelmed by the feature’s arcane workings.

Self-service portal: Duo does offer a self-service portal which, when enabled by an administrator, allows users to change their own MFA devices. Some organizations, like Wayne State University, have their users log in to this portal with their standard username and password, then enter a one-time passcode that’s sent via text message or phone call. 

Wayne State University Duo Mobile App Reset Screen
Duo Mobile App Reset – from Wayne State University

Unfortunately, the verification options offered by Duo can create potential security vulnerabilities and lengthy IT tickets.

Passcodes sent via text message are notoriously vulnerable to phishing, interception, and SIM swap attacks. Sometimes, texts just never arrive, forcing users to contact IT for help (where they’ll need to be verified via their Duo app, which they can’t access, or via other factors, which are insecure).

Passcodes sent via email just move the security burden onto another password, because email accounts are often only protected by a password––which attackers may already have through a prior breach, since 65% of people admit to reusing them across their accounts.

It’s no surprise, then, that Duo recommends you use Verified Duo Push, or Security Keys and Touch ID to verify Duo resets. But even these authentication factors have major drawbacks:

  • Hardware keys offer high security, but are difficult to issue and manage at scale. As a result, most organizations issue them to only a portion of privileged users.
  • Push notifications to an authenticator app can be exploited by push fatigue attacks that spam users into accepting. Also, if a user has changed their MFA device, they likely don’t have access to their authenticator app in the first place.

Self-Service Duo MFA Reset with Nametag

Nametag perfectly compliments Cisco Duo by enabling users to securely reset their Duo apps entirely on their own. Here’s how to reset Duo with Nametag:

  1. Navigate to your company’s Nametag account recovery microsite.
    Enter your work email address, and then scan the QR code with your smartphone. This will launch the Nametag experience on your device.
  1. Follow the instructions to verify your identity with Nametag.
    Scan the front and back of your government-issued ID document. You can use a driver’s license, passport, or any of 11,000 other forms of government-issued photo ID.
  1. Take a selfie.
  1. Wait for Nametag to verify your identity, then hit “Close”.
  1. Return to your microsite. You will now have the option to reset your Duo app.
  1. Click “Reset multi-factor authentication” for Duo, then follow the instructions to sign in to Duo and set up new MFA options.

Nametag integrates with Cisco Duo to close a critical security and experience gap: the Duo recovery process. Organizations using Nametag with Duo save up to 30% of their helpdesk costs by deflecting MFA resets to self-service, while preventing account takeovers that lead to data breaches and ransomware.

Secure your helpdesk against social engineering and impersonators.
Accept All Cookies