Last modified on February 1, 2023
StrongDM supports three authentication models:
- Delegated authentication
- Native accounts
The most common method of authenticating to StrongDM is via delegated authentication.
Authentication is commonly delegated to a Directory (such as Microsoft Active Directory) or Single Sign-On provider (such as Okta or Google).
It is not necessary to delegate authentication but can be convenient to link existing tools with StrongDM.
Native accounts are necessary for StrongDM administrative users.
Native accounts are also utilized in cases where a Directory or Single Sign-On provider is not available.
The Hybrid authentication model employs a Directory or SSO provider, but also allows the StrongDM administrator to create accounts that are not SSO-linked. This can be useful in organizations where contractors or other non-SSO users require access to StrongDM.
Set up MFA with Duo
Duo Security is available as a multi-factor authentication (MFA) option for your StrongDM users. This guide describes how to set up and configure MFA using Duo.
Set Up Duo
The first part of the setup process takes place in the Duo Admin panel. Log in as an administrator of your Duo account and perform the following steps.
- Go to Applications and then Protect an Application.
- From the list of application types, find Web SDK and click Protect.
- Be sure to note the client ID, client secret, and API hostname, as they are needed later.
- Under Settings, set up the policy, name, voice greeting, and other options according to your organization’s preferences.
- Save changes.
You are done here. Keep this browser window open to copy the key and API information when setting up StrongDM in the next section.
Set Up StrongDM
The setup continues in the StrongDM Admin UI.
- Go to Settings, then Security, and scroll down to Multi-factor Authentication.
- Click to unlock the fields and allow changes. Then select Duo from the dropdown menu.
- Using the values you noted in the Duo Admin panel, paste the client ID into the Integration Key field, the client secret into the Secret Key field, and API hostname into the Duo API URL field.
- Click Test MFA to test the MFA settings. This requires your admin account to be registered as a user in Duo.
Click Activate to enable Duo MFA. This displays a warning message that users cannot log in without MFA enrollment going forward.Ensure that Test MFA is successful before activating MFA or your admin account may become locked out!
Log in With Duo MFA Enabled
The login process once Duo MFA is enabled includes only one change. After entering the username and password, the login page contains a “Waiting for MFA…” message, which displays until the Duo challenge is accepted. The process of logging in to the GUI or the CLI with Duo MFA enabled is similarly altered.
Register a New User With Duo MFA Enabled
When Duo MFA is enabled, the new user registration process halts when the user clicks the link in the invitation email, then displays a link to the Duo self-enrollment process. Once the enrollment steps are complete, the user can return to the StrongDM window to finalize the login process.
Troubleshoot MFA With Duo
You may run into issues authenticating your StrongDM account with Duo MFA enabled. The following topics can help you troubleshoot any errors you receive while logging in.
Duo username mismatch with StrongDM username
If a username in Duo does not match a StrongDM username (which is typically an email address), you need to create an alias in Duo for that user. These usernames must match to take advantage of Duo MFA for a particular user.
When is MFA authentication triggered?
When MFA is enabled in StrongDM, you are prompted to authenticate in the following circumstances:
StrongDM Desktop App
- Idle timeout (configurable in Settings > Authentication)
- IP address change
- On wake
- On login
- Idle timeout (configurable in Settings > Authentication)
- On login
When you set up an SSO provider to authenticate with StrongDM and also enable Duo MFA in the Admin UI, Duo prompts during logins do not occur. In this scenario, Duo only plays a role to re-authenticate users when the StrongDM Desktop App locks due to inactivity, not during normal login attempts.
If using SSO, we recommend setting up MFA through your SSO provider to trigger MFA prompts during user logins.
Authentication errors with Duo
|Invalid MFA configuration||Your organization’s MFA configuration is not correct.||Contact your StrongDM administrator.|
|MFA refused to authenticate this user||Duo has preemptively denied authentication.||Contact your Duo administrator.|
|MFA denied access||When the push alert arrived, you denied access.||Log in again and accept when the push arrives.|
|User not enrolled in MFA||You are not enrolled with Duo.||Contact your Duo administrator.|
|MFA did not return a response in time||Duo did not receive an accept/deny from your device in time.||Try logging in again and accept/deny when the push arrives.|
|Could not find a valid MFA device||Your Duo-configured device cannot receive push alerts.||Contact your Duo administrator to register another device.|
|Could not push a notification to MFA device||Duo was not able to send a push to your device.||Contact your Duo administrator.|
New device setup or reset
If you get a new mobile device or have to reset your existing device, you may be unable to log in to your Duo-protected account. If this situation occurs, please contact your organization’s Duo administrator to provision your device.
Password requirements are set in the Admin UI in Settings > Security. You can force the passwords of your StrongDM users to be of higher strength. By default, the only password requirement is that the password be eight characters long.
Password strength requirements can be increased from “No minimum strength” to “Medium,” “Strong,” or “Excellent.” If you require higher password strength, users will need to add complexity to their passwords until they grade at the higher rating you have set as the requirement.
The strength of a password can be difficult to determine. In this case, StrongDM uses the zxcvbn password strength method to test your password strength. This method discards arbitrary rules about characters and length. Instead, this method analyzes each suggested password and gives it a strength rating based on a number of factors, including things such as length, dictionary checking, password matching, and so forth.
Independently of the password strength requirement, you can also set a minimum length requirement for your users’ passwords. You should not set this minimum length to be lower than the default minimum for the password strength requirement that you have set.
There are two types of authentication timeouts for StrongDM users: idle timeouts, which have to do with the idle time of an authenticated user; and session timeouts, which pertain to overall length of authenticated sessions. Note that these limitations are applied for human users, not service accounts.
Idle timeouts will force users to log out of the Client or Admin UI after a set amount of minutes of inactivity, that is, instances where no packets are received. For example:
- Client will log users out after 20 minutes of idleness.
- Admin UI will log users out after 20 minutes of idleness.
Note that idle timeouts may be triggered by blocked processes and long-running queries.
The session timeout will force users to log out once their session reaches the pre-determined time limit. For example:
- Users must re-authenticate every eight hours.