Close
logodocs

Set up MFA with Duo

Duo is available as a multi-factor authentication option for your strongDM users. Here's how to set it up:

Steps

The first part of the setup process takes place on the Duo Admin panel. Log in as an administrator of your Duo account and perform the following steps:

  1. Go to Applications and then Protect an Application.
    Duo/Applications
    Duo/Applications
  2. From the list of application types, find Web SDK and click Protect.
    Web SDK
    Web SDK
  3. Be sure to note the client id, client secret, and API hostname, as they will be needed later.
    Details/Keys
    Details/Keys
  4. Under Settings, set up the policy, name, voice greeting, and other options according to your organization's preferences.
  5. Save changes.

You're done here, but keep this browser window open to copy the key and API information when doing strongDM setup in a few moments.

Set up with strongDM

The setup continues on the strongDM Admin UI.

  1. Go to Settings, then Authentication

    Settings/Authentication
    Settings/Authentication
  2. Click to unlock the fields and allow changes. Then select Duo from the dropdown menu.

  3. Using the values you noted in the Duo Admin panel, paste the client ID into the Integration Key field, the client secret into the Secret Key field, and API hostname into the Duo API URL field.

    MFA Setup
    MFA Setup
  4. Click Test MFA to test the MFA settings. This will require your admin account to be registered as a user in Duo.

    MFA Test Success
    MFA Test Success
  5. Click Activate to enable Duo MFA. This will pop up a warning message that says users will be unable to log in without MFA enrollment going forward.

    MFA Warning
    MFA Warning

    Ensure that Test MFA is successful before activating MFA, or your admin account may become locked out!

Log in with Duo MFA enabled

The login process once Duo MFA is enabled has only one change. After entering the username and password, the login page will now say "Waiting for MFA..." until the Duo challenge has been accepted. The process of logging in to the GUI or the CLI with Duo MFA enabled is similarly altered.

Register a new user with Duo MFA enabled

When Duo MFA is enabled, the new user registration process will halt when the user clicks the link in the invitation email, then display a link to the Duo self-enrollment process. Once this process is complete, the user will be able to return to the strongDM window and complete the initial login process.

Troubleshoot MFA with Duo

You may run into issues authenticating your strongDM account with Duo MFA enabled. Below is some information about errors you may receive while logging in, and suggested troubleshooting steps.

When is MFA authentication needed?

You will be prompted for a strongDM MFA authentication in the following circumstances:

  • Local client
    • Idle timeout (configurable in Settings > Authentication)
    • IP address change
    • On wake
    • On login
  • Admin UI
    • Idle timeout (configurable in Settings > Authentication)
    • On login. One exception is when SSO is configured along with MFA. You will not receive MFA authentication challenges on login in this case, as it is assumed that the SSO provider is handling multi-factor authentication (or lack thereof).

Authentication Errors with Duo

ErrorIssueResolution
Invalid MFA configurationYour organization's MFA configuration is not correct.Contact your strongDM administrator.
MFA refused to authenticate this userDuo has preemptively denied authentication.Contact your Duo administrator.
MFA denied accessWhen the push alert arrived, you denied access.Log in again and choose 'Accept' when the push arrives.
User not enrolled in MFAYou are not enrolled with Duo.Contact your Duo administrator.
MFA did not return a response in timeDuo did not receive an accept/deny from your device in time.Try logging in again and accept/deny when the push arrives.
Could not find a valid MFA deviceYour Duo-configured device cannot receive push alerts.Contact your Duo administrator to register another device.
Could not push a notification to MFA deviceDuo was not able to send a push to your device.Contact your Duo administrator.

New/Reset Device

If you get a new mobile device or have to reset your existing device, you may be unable to log into your Duo-protected account. If this situation occurs, please contact your organization's Duo administrator to provision your new/reset device.

Unfortunately, strongDM is unable to assist with provisioning your Duo devices.

Previous
Authentication
Next
Passwords