Setting up Two-Factor Authentication (TFA) - Duo Security
You can integrate Duo security with PAM360 for two-factor authentication.
Here are the steps required:
Step 1: Configuring PAM360 - Duo Security Integration
If you have Duo Application in your environment, you can integrate it with PAM360 and leverage the Duo security authentication as the second level of authentication. This section explains the configurations involved.
PAM360 - Duo Security Integration
- Sign up for a Duo account.
- Log in to the 'Duo Admin Panel' and add a new application.
- Click the 'Protect an application' button. The 'Protect an application' page lists the applications you can protect with Duo.
- Search for Web SDK and click "Protect This Application" and fill the required field and save it.
- While saving, take a note of integration key, secret key and API hostname which must be provided in PAM360 GUI (in step 2 below).
- Enroll your users with Duo and start authenticating.
Step 2: Configuring TFA in PAM360
- Go to Admin >> Authentication >> Two-factor Authentication.
- In the UI that opens up, choose the option "Duo Security".
- Provide the following details that you noted down in step 1,
- Integration key
- Secret key
- API hostname
- Click "Save".
- Then, click on Confirm to enforce Duo Security as the second factor of authentication.
Step 3: Enforcing TFA for Required Users
- Once you confirm Duo Security as the second factor of authentication in the previous step, a new window will prompt you to select the users for whom two-factor authentication should be enforced.
- You can enable or disable two-factor authentication for a single user or multiple users in bulk from here. To enable two-factor authentication for a single user, click on the 'Enable' button beside their respective username. For multiple users, select the required usernames and click on 'Enable' at the top of the user list. Similarly, you can also 'Disable' two-factor authentication from here.
- You can also select the users later by navigating to Users >> More Actions >> Two-factor Authenitcation.
How to Connect to PAM360 Web Interface when TFA is Enabled?
The users for whom two-factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through PAM360's local authentication or AD/LDAP authentication. Depending on the type of TFA chosen by the administrator, the second level of authentication will differ as explained below:
- Upon launching the PAM360 web-interface, the user has to enter the username and local authentication or AD/LDAP password to log in to PAM360 and click "Login".
- Once the first level of authentication succeeds, PAM360 will prompt you to choose an authentication method out of the three options offered by Duo.
- You can choose 'Duo Push' as an authentication method
- Tap 'Approve' on the Duo Push request sent to your phone.
- You can click the 'Call me' option, upon which you will get a call on your phone. Answer and press a key to authenticate.
- You can also request a 'One Time Passcode' via SMS on your phone, allowing users to avail two-factor authentication even when there is no internet connectivity.
Note: This bulk edit operation will simply overwrite the current password reset configuration, if any, of the chosen resources.
To enroll while logging in:
- Click 'Start Setup' in the login page.
- Select the type of device you are adding and enter your phone number.
- Verify your phone number by scanning the QR code sent to your phone.
- After succesful verification, click 'Continue to Login'.
If you have Configured High Availability
Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password or RADIUS or Duo) AND if you have configured high availability, you need to restart the PAM360 secondary server once.