Duo Security,
managed by TruPoint.
SMS-based MFA is no longer enough — and your cyber insurer's questionnaire now says "phishing-resistant," which push notification MFA doesn't satisfy. TruPoint deploys Duo as the MFA layer for clients running legacy infrastructure, mid-migration from on-prem AD, or using applications that Microsoft Entra conditional access cannot cover natively.
MFA for the apps your identity platform can't reach.
Microsoft Entra conditional access is the right long-term answer for identity — but it can't gate every legacy VPN, on-prem web app, or RDP session without significant migration work. Duo fills those gaps today, while the broader Zero Trust architecture is built out.
Phishing-Resistant MFA
FIDO2 security keys, Duo Push with number matching, and biometric authentication. Satisfies cyber insurance phishing-resistant MFA requirements — not SMS, not basic push, actual verified second factor.
Device Trust
Duo verifies device health — OS version, encryption status, lock screen — before granting access. Works independently of Intune for legacy devices or mixed BYOD environments during transitions.
Single Sign-On
Duo SSO provides a unified login portal for cloud and on-premises applications. Reduces password fatigue, extends MFA coverage to apps with no native SSO support, and simplifies user access management.
Legacy App Coverage
VPN clients, RDP gateways, on-prem web apps, and line-of-business software that Entra conditional access can't gate natively — Duo adds MFA to all of them via RADIUS integration or reverse proxy.
From legacy MFA gaps to phishing-resistant coverage in four phases.
A structured rollout that closes MFA gaps without disrupting access for legitimate users — starting with high-risk accounts, then extending to the full environment.
Audit
Map every app, VPN, and remote access method that needs MFA coverage. Identify gaps in existing Entra conditional access policies and legacy systems Duo will cover independently.
Configure
Duo application integrations built for each target system. Device trust policies defined. SSO portal configured with your application catalogue. RADIUS integrations validated for VPN and legacy apps.
Enrol
Users enrolled via 2-minute self-service flow. Hardware security keys provisioned for all privileged accounts. Helpdesk runbook prepared for lost-device and recovery scenarios before rollout.
Operate
Duo admin console monitored by TruPoint. Failed authentication spikes and new device enrollments trigger alerts. Quarterly access review included in TruCompliance reporting cycle.
Phishing-resistant isn't a preference. It's what your insurer means.
Canadian cyber insurers upgraded their MFA requirements in 2023. "MFA enabled" used to be enough. Now they ask whether it's phishing-resistant — which means hardware key or FIDO2 authenticator, not SMS or a notification you can be socially engineered into approving. Duo gets you there on every system, not just the ones Entra can reach.
- Phishing-resistant MFA that satisfies insurer questionnaires
- Covers legacy apps and VPNs that Entra conditional access can't gate
- Device trust adds a second signal beyond just credentials
- Works in hybrid environments during M365 migration
- Self-service enrolment keeps IT overhead minimal
"Our broker said phishing-resistant means hardware key or FIDO2 — not an app notification. Duo was the fastest way to get there on our mixed environment.
Where Duo fits in the TruPoint stack.
TruWorkspace Zero Trust™
Duo is the MFA bridge layer — covering legacy systems while the full Entra + Cloudflare ZTNA architecture is deployed.
TruCompliance™
Duo authentication logs and MFA coverage evidence feed the ISMS library — proof of phishing-resistant MFA for cyber insurance audits.
Microsoft Entra ID
The long-term identity foundation. Duo covers the gaps today while the Entra conditional access architecture is built out.
A 30-min MFA readiness walkthrough.
We'll map your current MFA coverage against your insurer's questionnaire and show you exactly where the gaps are.