Duo Security two-factor authentication

Duo Security is a multi-factor authentication (MFA) provider that confirms the identity of users and the health of their devices before the user gets access. Duo supports push notifications, time-based one-time passwords (TOTP), text messages (SMS), voice calls, and emails for two-factor authentication (2FA).

Enterprise Threat Protector (ETP) provides remote access, MFA, and integrates with Duo’s 2FA services. If you are currently using Duo as a 2FA solution, you can provide some Duo-specific information in ETP to verify identity and access privileges.

Within the Duo application, a Duo administrator can generate a unique set of configuration parameters. These configuration parameters are then entered into the corresponding MFA fields in an identity provider configuration.
  • Integration key or ikey: A unique identifier that allows you to retrieve users' API keys based on email and password.
  • Secret key or skey: A unique identifier used for encryption of data.
  • API hostname: Your API hostname used for all API interactions with Duo. For example, api-XXXXXXXX.duosecurity.com

You'll need these keys and hostname when configuring your system to work with Duo.

When configuring Duo in ETP, you also can define the UserID attribute. The Duo user ID attribute determines how the usernames listed in Duo appear. Choose one of these attributes:
  • Email
  • SAM account name
  • User Principal Name
  • Domain/SAM account name
Depending on the directory your organization uses, make sure you consider these points when defining the UserID attribute.
  • When using Open LDAP to authenticate users in the Login Portal, ETP supports only email as the Duo UserID attribute.
  • When using the Active Directory (AD) to authenticate users in the Login Portal, ETP supports all Duo UserID attributes.

All communication between the Login Portal and Duo is secured with TLS. ETP validates the server certificate before sending any information or data to the Duo service.