Setting up Two-Factor Authentication (TFA) - Duo Security
Two-Factor Authentication or Multi-Factor Authentication is an extra layer of security provided to secure your accounts. Duo Security is a cloud based Multi-Factor Authenticator that provides secure access to your account. Duo Security allows you to integrate PAM360 with Two-Factor Authentication.
This document will walk you through the following topics:
- Configuring PAM360 - Duo Security Integration
- Configuring TFA in PAM360
- Enforcing TFA for Required Users
- Connecting to PAM360 Web Interface when TFA is Enabled
- Enrolling while Logging in
1. Configuring PAM360 - Duo Security Integration
If you have the Duo application in your environment, you can integrate it with PAM360 and leverage the Duo security authentication as the second level of authentication. This section explains the configurations involved:
- Sign up for a Duo account.
- Log in to the Duo Admin Panel and add a new application.
- Click the Protect an application button. The 'Protect an application' page lists the applications you can protect with Duo.
- Search for Web SDK and click Protect This Application and fill the required field and save it.
- While saving, take a note of the Client ID, Client Secret, and API hostname which must be provided in PAM360 GUI (in step 2 below).
- Enroll your users with Duo and start authenticating.
Note: PAM360 uses the latest Web SDK version and it offers support for both the traditional prompt and the universal prompt methods of authentication.
2. Configuring TFA in PAM360
- Go to Admin >> Authentication >> Two-factor Authentication.
- In the UI that opens up, choose the option Duo Security.
- Provide the following details that you noted down in step 1,
- Client ID
- Client Secret
- API hostname
- Click Save.
- Then, click on Confirm to enforce Duo Security as the second factor of authentication.
3. Enforcing TFA for Required Users
- Once you confirm Duo Security as the second factor of authentication in the previous step, a new window will prompt you to select the users for whom two-factor authentication should be enforced.
- You can enable or disable Two-Factor Authentication for a single user or multiple users in bulk from here. To enable two-factor authentication for a single user, click on the Enable button beside their respective username. For multiple users, select the required usernames and click on Enable at the top of the user list. Similarly, you can also Disable two-factor authentication from here.
- You can also select the users later by navigating to Users >> More Actions >> Two-factor Authentication.
4. Connecting to PAM360 Web Interface when TFA is Enabled
The users for whom two-factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through PAM360's local authentication or AD/LDAP authentication. Depending on the type of TFA chosen by the administrator, the second level of authentication will differ as explained below:
- Upon launching the PAM360 web-interface, the user has to enter the username and local authentication or AD/LDAP password to log in to PAM360 and click Login.
- Once the first level of authentication succeeds, PAM360 will prompt you to choose an authentication method out of the three options offered by Duo.
- You can choose Duo Push as an authentication method.
Note: This bulk edit operation will simply overwrite the current password reset configuration, if any, of the chosen resources.
5. Enrolling while Logging in
- Click Start Setup in the login page.
- Select the type of device you are adding and enter your phone number.
- Verify your phone number by scanning the QR code sent to your phone.
- After successful verification, click Continue.
If you have Configured High Availability:
Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password or RADIUS or Duo) AND if you have configured high availability, you need to restart the PAM360 secondary server once.