Setting up Two-Factor Authentication - Duo Security
You can integrate Duo Security with Password Manager Pro for two-factor authentication.
Steps Required
- Configuring Password Manager Pro - Duo Security Integration
- Configuring Two-Factor Authentication in Password Manager Pro
- Enforcing Two-Factor Authentication for Required Users
1. Configuring Password Manager Pro - Duo Security Integration
If you have Duo Application in your environment, you can integrate it with Password Manager Pro and leverage the Duo security authentication as the second level of authentication. This section explains the configurations involved.
- Sign up for a Duo account.
- Log in to the 'Duo Admin Panel' and add a new application.
- Click the 'Protect an application' button. The 'Protect an application' page lists the applications you can protect with Duo.
- Search for Web SDK and click 'Protect This Application' and fill the required field and save it.
- While saving, take a note of the Client ID, Client secret, and API hostname which must be provided in Password Manager Pro GUI (in step 2 below).
- Enroll your users with Duo and start authenticating.
Note: Password Manager Pro uses the latest Web SDK version and it offers support for both the traditional prompt and the universal prompt methods of authentication.
2. Configuring Two-Factor Authentication in Password Manager Pro
- Go to Admin >> Authentication >> Two-factor Authentication.
- In the UI that opens up, choose the option Duo Security.
- Provide the following details that you noted down in step 1,
- Client ID
- Client secret
- API hostname
- Click Save.
- Then, click on Confirm to enforce Duo Security as the second factor of authentication.
3. Enforcing Two-Factor Authentication for Required Users
- Once you confirm Duo Security as the second factor of authentication in the previous step, a new window will prompt you to select the users for whom two-factor authentication should be enforced.
- You can enable or disable two-factor authentication for a single user or multiple users in bulk from here. To enable two-factor authentication for a single user, click on the Enable button beside their respective username. For multiple users, select the required usernames and click on Enable at the top of the user list. Similarly, you can also Disable two-factor authentication from here.
- You can also select the users later by navigating to Users >> More Actions >> Two-factor Authentication.
3.1 How to Connect to the Password Manager Pro Web Interface When TFA is Enabled?
The users for whom two-factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through Password Manager Pro's local authentication or AD/LDAP authentication. Depending on the type of TFA chosen by the administrator, the second level of authentication will differ as explained below:
- Upon launching the Password Manager Pro web-interface, the user has to enter the username and local authentication or AD/LDAP password to log in to Password Manager Pro and click "Login".
- Once the first level of authentication succeeds, Password Manager Pro will prompt you to choose an authentication method out of the three options offered by Duo.
- You can choose 'Duo Push' as an authentication method.
- Tap Send me a Push on the Duo Push request sent to your phone.
- You can also request a 'One Time Passcode' via SMS on your phone, allowing users to avail two-factor authentication even when there is no internet connectivity.
Note: This bulk edit operation will simply overwrite the current password reset configuration, if any, of the chosen resources.
To enroll while logging in, follow the below steps:
- Click Start Setup on the login page.
- Select the type of device you are adding and enter your phone number.
- Verify your phone number by scanning the QR code sent to your phone.
- After successful verification, click 'Continue' to log in to Password Manager Pro.
Note: If you have configured high availability, do the following:
Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password or RADIUS or Duo) and if you have configured high availability, you need to restart the Password Manager Pro secondary server once.