Setting up two-factor authentication - Duo Security
You can integrate Duo security with Password Manager Pro for two-factor authentication.
Summary of steps:
- Configuring Password Manager Pro - Duo security integration.
- Configuring two-factor authentication in Password Manager Pro.
- Enforcing two-factor authentication for required users.
Step 1: Configuring Password Manager Pro - Duo security integrationDuo security
If you have Duo Application in your environment, you can integrate it with Password Manager Pro and leverage the Duo security authentication as the second level of authentication. This section explains the configurations involved.
Password Manager Pro - Duo security integration
- Sign up for a Duo account.
- Log in to the 'Duo Admin Panel' and add a new application.
- Click the 'Protect an application' button. The 'Protect an application' page lists the applications you can protect with Duo.
- Search for Web SDK and click "Protect This Application" and fill the required field and save it.
- While saving, take a note of integration key, secret key and API hostname which must be provided in Password Manager Pro GUI (in step 2 below).
- Enroll your users with Duo and start authenticating.
Step 2: Configuring two-factor authentication in Password Manager Pro
- Go to Admin >> Authentication >> Two-factor Authentication.
- In the UI that opens up, choose the option "Duo Security".
- Provide the following details that you noted down in step 1,
- Integration key
- Secret key
- API hostname
- Click "Save".
- Then, click on Confirm to enforce Duo Security as the second factor of authentication.
Step 3: Enforcing two-factor authentication for required users
- Once you confirm Duo Security as the second factor of authentication in the previous step, a new window will prompt you to select the users for whom two-factor authentication should be enforced.
- You can enable or disable two-factor authentication for a single user or multiple users in bulk from here. To enable two-factor authentication for a single user, click on the 'Enable' button beside their respective username. For multiple users, select the required usernames and click on 'Enable' at the top of the user list. Similarly, you can also 'Disable' two-factor authentication from here.
- You can also select the users later by navigating to Users >> More Actions >> Two-factor Authenitcation.
How to connect to Password Manager Pro web-interface when TFA is enabled?
The users for whom two-factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through Password Manager Pro's local authentication or AD/LDAP authentication. Depending on the type of TFA chosen by the administrator, the second level of authentication will differ as explained below:
- Upon launching the Password Manager Pro web-interface, the user has to enter the username and local authentication or AD/LDAP password to log in to Password Manager Pro and click "Login".
- Once the first level of authentication succeeds, Password Manager Pro will prompt you to choose an authentication method out of the three options offered by Duo.
- You can choose 'Duo Push' as an authentication method
- Tap 'Approve' on the Duo Push request sent to your phone.
- You can click the 'Call me' option, upon which you will get a call on your phone. Answer and press a key to authenticate.
- You can also request a 'One Time Passcode' via SMS on your phone, allowing users to avail two-factor authentication even when there is no internet connectivity.
Note: This bulk edit operation will simply overwrite the current password reset configuration, if any, of the chosen resources.
To enroll while logging in,
- Click 'Start Setup' in the login page.
- Select the type of device you are adding and enter your phone number.
- Verify your phone number by scanning the QR code sent to your phone.
- After succesful verification, click 'Continue to Login'.
If you have configured high availability
Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password or RADIUS or Duo) AND if you have configured high availability, you need to restart the Password Manager Pro secondary server once.