DUO Admin
Authentication Methods Ranked
1. Touch ID 2. Security keys 3. Duo Mobile push approval 4. YubiKey passcodes 5. Duo Mobile generated passcodes 6. Hardware token passcodes 7. SMS passcodes 8. Phone call approval
Reporting Overview
AUTHENTICATION LOG TELEPHONY LOG ADMINISTRATOR ACTIONS AUTHENTICATION SUMMARY DENIED AUTHENTICATIONS DEPLOYMENT PROGRESS POLICY IMPACT
ORDER OF ENFORCEMENT
Application and Group Policies override the Global Policy Group Policies override Application Policies Group Application Global
Enrollment Emails
Day 0: User is synced. Initial enrollment email sent to end-user Day 2: Reminder 1: Sent if enrollment is not completed Day 10: Reminder 2: Sent if enrollment is not completed Day 30: Link expires. New link is generated and cycle repeats the next time the sync runs
METHODS FOR ADDING USERNAMES
Directory Sync Import Users Bulk Enrollment Inline Self-Enrollment
Conditions for Push Notifications
Duo Mobile app is installed and activated on the device Connected to a reliable WiFi or cellular connection Duo Push requests / Notifications are toggled On in your notification settings
DUO WEB SDK
Duo Web SDK can also be used to add two-factor authentication to a web application, by modifying the code to add a second login page and splitting the login handler into two parts. The Duo Web SDK is a generic integration that can be used to protect applications that are not listed on the Applications tab.
APPLICATIONS
Duo can protect almost any application that supports authentication via RADIUS, LDAP, or SAML 2.0.
Remembered Devices Policy
When a Remembered Devices policy is enabled, Duo creates a trusted session for web-based applications using the Duo Prompt for a period of time decided by the administrator (the default is 30 days).
UNENROLLED/NEW USER (NO USERNAME, NO DEVICE)
If a username is not listed in the Duo Admin Panel at all, the user is not enrolled. Their information will not appear in the Admin Panel and they will be considered a new user when they attempt to access Duo-protected applications
POLICIES
Improve your security posture by configuring and enforcing rules for who can access your applications under conditions you define
TELEPHONY OPTIONS
Low-credit alerts Low credit alert email
CREATING ADMINISTRATORS
Owner-role administrators can create new administrators directly in the Admin Panel or by using the Admin API to generate a setup link Administrators need both a Duo administrator account AND an end-user account; one to access the Admin Panel, and the other to access their Duo-protected applications Note: Duo does not support user provisioning via Directory Sync for administrator accounts. Administrator accounts for the Admin Panel are local to the Duo Cloud Service and must be created directly in the Admin Panel or via the Admin API with a password and cannot be synced from an external source
Import Users
REQUIREMENTS CSV file of user attributes ENROLLMENT EMAILS Not sent IDEAL ENVIRONMENTS Flexible; can be used by any Owner, Administrator, or User Manager with a CSV file of user information
DIRECTORY SYNC
REQUIREMENTS External directory with populated user groups. Duo Authentication Proxy (On-premises Active Directory or OpenLDAP) ENROLLMENT EMAILS When Send Enrollment Email is enabled, emails are sent only to users without an attached phone number IDEAL ENVIRONMENTS Great solution for those with an existing external directory. Reduces effort for provisioning users
Device Management Portal
REQUIREMENTS On-premises web server with authentication to user directory. Ability to add second login page ENROLLMENT EMAILS Not sent IDEAL ENVIRONMENTS Advanced configuration. Requires development resources. Additional gating recommended (e.g. restrict enrollment from external networks)
INLINE SELF-ENROLLMENT
REQUIREMENTS Protected application that supports the Duo Prompt ENROLLMENT EMAILS Not sent IDEAL ENVIRONMENTS Quick and efficient. Great method if speed to security is required
BULK SELF-ENROLLMENT
REQUIREMENTS Username and valid email address for all users ENROLLMENT EMAILS Sent automatically to unenrolled users IDEAL ENVIRONMENTS Flexible; can be used by any Owner, Administrator, or User Manager with valid email addresses for end-users
NEW USER POLICY OPTIONS
Require Enrollment: Allow unenrolled users to be able to self-enroll the next time they log in to a Duo-protected application. In order for end-users to self-enroll, your application must support the Duo Prompt or Universal Prompt. Allow Access without 2FA Deny Access: Block unenrolled end-users from accessing Duo-protected applications.
applications that you can integrate with Duo
Servers, workstations, and laptops VPNs Web applications Single Sign-on (SSO)/SAML 2.0 identity providers and applications Generic RADIUS and LDAP configurations
DUO AUTH API
The Duo Auth API is a REST-based API that can be configured to work with a number of different services.
THE DUO PROMPT
This prompt is delivered via an inline frame (or iFrame), generally using our WebSDK, which means that the Duo Prompt is embedded within a web page hosted by the protected application
FULLY ENROLLED (USER & DEVICE)
When a user has both their username and at least one associated 2FA device in Duo, the user is considered fully enrolled.
PARTIALLY ENROLLED (USERNAME ONLY)
When a user has only a username in Duo with no associated 2FA device, the user is considered partially enrolled.
Generic LDAP
When generic LDAP is used, you will need to install the Duo Authentication Proxy, a local proxy service, on a physical or virtual host within your network.
Generic RADIUS
When RADIUS is used, you will need to install the Duo Authentication Proxy, a local proxy service, on a physical or virtual host within your network. This Duo proxy server may also act as a RADIUS server — there's usually no need to deploy a separate RADIUS server to use Duo
Customization
exists only for Web Based applications needs to be PNG
LOCKOUT SETTINGS
lockout threshold settings can be configured by administrators and are customizable on the Settings page The default lockout threshold is ten failed attempts
SMS Weaknesses
reroute text messages to another device, or read SMS-delivered codes even from a locked phone screen
THE UNIVERSAL PROMPT
the Universal Prompt is delivered using OpenID Connect (OIDC) standards, an authentication delegation protocol that enables communication between an application and an authentication provider the protected application redirects to the Universal Prompt on a page hosted by Duo at duosecurity.com, and then redirects back to the protected application