strongDM permits setting up multi-factor authentication (MFA) with Duo. Here’s how to set it up.
The first part of the setup process takes place on the Duo website. Log in as an administrator and perform the following steps.
Go to Applications, then Protect an Application
From the list of applications, find Web SDK and select Protect this Application
Note the integration key, secret key, and API hostname, as they will be needed later
You’re done here, but keep this browser window open to copy the key and API information in Step 3 below.
The setup continues on the strongDM Admin UI.
Go to Settings, then Authentication
Copy and paste the integration key, secret key, and API hostname from the Duo page
Set the idle time (default 2 hours)
Note: This determines when your strongDM login session will lock and require reauthorization with MFA to continue using it.
Click Test MFA to test the MFA settings. This will require your admin account to be registered as a user in Duo
Click Activate to enable Duo MFA. This will pop up a warning message that users will be unable to log in without MFA enrollment going forward
Warning: Ensure that Test MFA is successful before activating MFA, or your admin account may become locked out!
The login process once Duo MFA is enabled has only one change: after entering the username and password, the login page will say ‘Waiting for MFA…’ until the Duo challenge has been accepted. The process is similar for SDM GUI and SDM CLI logins.
When Duo MFA is enabled, the new user registration process will halt when the user clicks the link in the invitation email, then display a link to the Duo self-enrollment process. Once this process is complete, the user will be able to return to the strongDM window and complete the initial login process.