Skip to main content

Duo Authentication

Duo MFA (Multi-Factor Authentication) strengthens security by requiring users to provide multiple verification factors before accessing applications or systems.

It combines something the user knows (e.g., a password) with something the user has (e.g., a smartphone or a token), reducing the risk of unauthorized access.

Duo's flexible options include push notifications, SMS passcodes, phone calls, and hardware tokens, accommodating diverse user preferences and security needs. By integrating seamlessly with existing systems, Duo MFA ensures robust security while maintaining a user-friendly experience.

Benefits of Using Duo MFA

BenefitDescription
Robust SecurityAdds a layer beyond passwords.
Flexible AuthenticationIt supports push, SMS, phone Calls, and tokens.
Seamless User ExperienceQuick approvals via mobile devices.
Smooth IntegrationWorks with LoginRadius' authentication workflows easily.

Use Cases

  • Secure High-Value Accounts: Enable Duo MFA for accounts with administrative privileges or access to sensitive data to ensure strong protection even if passwords are compromised.
  • Protect Mobile Workforce: Use Duo push or phone verification for employees accessing corporate resources from mobile devices and remote locations.
  • Secure Financial Transactions: Enforce Duo Re-Authentication before users make payments, transfer money, or modify financial information.
  • Regulatory Compliance: Implement Duo MFA for strong, auditable authentication controls to meet strict industry compliance requirements (HIPAA, PCI-DSS, GDPR).
  • Partner and Vendor Access Security: To maintain secure external collaborations, apply Duo MFA for third-party vendors or partners accessing your systems.

Duo MFA Workflow

When Duo Authentication is enabled:

  1. During login, the MFA Login API initiates a Duo Authentication challenge.
  2. On successful Duo authentication, Duo returns a state and duo_code.
  3. These parameters are redirected back to your application (duoRedirectURI).
  4. The system calls the Duo Verification API using duo_state and code.
  5. Upon successful verification, the user is logged in and receives an Access Token and User Profile.

NOTE: The duoRedirectURI must be whitelisted and properly configured when Duo MFA is enabled.

Configuration Steps

Admin Console:

LoginRadius Console configuration for Duo Authentication is guided in the following document.

API Implementation

Implement the full Duo Authentication flow using the APIs outlined below.

  • Endpoint: /identity/v2/auth/login/2FA
  • Method: POST
  • Important: Add duoredirecturi as a query parameter.
  • Purpose: Initiate MFA login and redirect the user for Duo Authentication.

Duo MFA - Quick API Summary

StageAPIMethodPurpose
Initiate Challenge/identity/v2/auth/login/2FAPOSTStart Duo Authentication
Verify During Login/identity/v2/auth/login/2fa/verification/duoPUTValidate login with Duo
Verify Post-Login (Optional MFA)/identity/v2/auth/account/2fa/verification/duoPUTRegister Duo MFA
Re-authenticate/identity/v2/auth/account/reauth/2fa/duoPUTRe-auth for sensitive actions
Reset Duo (User)/identity/v2/auth/account/2fa/authenticator/duoDELETEReset by Access Token
Reset Duo (Admin)/identity/v2/manage/account/2FA/authenticator/duoDELETEReset by UID

Best Practices

  • Always Whitelist and Validate the duoRedirectURI
    Ensure duoRedirectURI is secure and properly validated to avoid redirection vulnerabilities.

  • Educate Users About Duo Push Approval
    Encourage users to approve only legitimate login requests and immediately report suspicious prompts.

  • Use Re-Authentication for High-Risk Actions
    Configure Duo Re-Authentication before allowing critical actions like password changes, transaction approvals, etc.

  • Monitor MFA Challenges
    Track abnormal patterns such as frequent MFA challenges and failures to detect potential brute force or phishing attempts.

  • Limit MFA Reset Privileges
    Allow only privileged admins to reset user MFA settings to reduce the risk of abuse.