Skip navigation
Product & Engineering

Empower Users and Save Time with Self-Service Portal

Since the launch of Duo Security, customers have taken advantage of the self-enrollment feature, which allows users to set up their own two-factor authentication devices after authenticating with their primary credentials, most commonly username and password. This feature alone has saved IT staff at companies like Threadless hundreds of hours spent manually enrolling and distributing authentication devices.

Tristan Hammond, IT Infrastructure Manager, Threadless:

I haven’t gotten a single complaint about it. Our overall experience with Duo has been extremely easy - that’s not something that always happens in the technology world.

But, there was a catch. Self-service enrollment only supports enrolling a user’s first two-factor authentication device. Self-enrollment was designed to follow the information security Trust On First Use principal: Once two-factor authentication is enabled for a service, Duo trusts authenticated users to enroll a two-factor authentication device the first time each new user logs in.

Organization administrators of Duo have always been able to modify, add and remove user devices, but until now this required that the users contact their IT department directly and submit a device change request. We knew we could do better.

Introducing Self-Service Portal

Help your users help themselves. All Duo web integrations can now be enabled with the Self-Service Portal. A single checkbox in the Admin Panel adds a fully-featured management portal that users can access after completing primary and secondary authentication.

Enable self-service portal

How It Works

Once the SSP is enabled users will see a new button, Manage devices, when authenticating. The Two-Factor Authentication "frame" is displayed after the user successfully completes primary authentication. The user clicks Manage devices, completes two-factor authentication with an existing device, and accesses the Self-Service Portal.

End user experience of SSP

Users can perform any of the following actions once authenticated to the self-service portal.

  • Enroll an additional authentication device (phone, tablet, etc.)
  • Remove an existing device
  • Reactivate Duo Mobile on an existing phone number – convenient when upgrading smartphones
  • Set default device, which will make it show up first in the device selection drop-down menu
  • Create a friendly name for the device, such as "Home phone"

Easy To Deploy, Easy To Trust

When designing this feature we wanted to make sure that administrators didn't need to set-up an additional web application just to get access to this new functionality. We also did not want to make users remember yet another password just to get access to this portal, and we knew that we had to require two-factor authentication with an already enrolled device in order to make it secure.

We considered several approaches and came to the conclusion that taking advantage of the existing, embedded frame was the best way to balance deployability, usability, and security. Admins simply need to enable the SSP on the integrations where they want to make it available and the Manage Devices button will be displayed to users the next time they are required to perform two-factor authentication.

Try It Today

The Self-Service Portal is available for all Enterprise Edition accounts. And since all of our free trials include Enterprise Edition features you can try it out right after you sign up for an account.

Not ready to sign up for a trial? Check out the Duo Outlook Web App Demo to try out the SSP user experience.

Check out the user documentation, which explains how to use the Self-Service Portal.

Note: Duo's Enterprise Edition is now known as Duo MFA. Please visit our Pricing page to view our latest editions.