Skip navigation
Product & Engineering

Video: Two-Factor Authentication for Web Apps with Duo’s Web SDK

We released an integration video to show you just how easy it is to set up two-factor authentication with your web-based application using Duo’s web SDK. Duo client libraries are available for Python, Ruby, Classic ASP, ASP.NET, Java, PHP, Node.js, Coldfusion, and Perl. Check it out!

Duo Security + Web SDK: In 7 Minutes

These libraries are available from Now for endless bullets to summarize the process (legit Duo Web documentation can be found here):

Step 1: Get started! Log into your Duo Admin Interface

  • Click on Integrations > Add New Integration

  • Select Integration Type dropdown > Web SDK, then Create Integration

Step 2: Download and install client library

  • Prior to installing, have your web server configured and ready for install.

  • From the Duo Web documentation, click on the PHP link for the supported client library.

  • Download the demo folder contents

Step 3: Set up a web app with your Duo web SDK integration

  • Start by generating an AKEY.

  • For the demo, we can run a command to generate a random AKEY string in Python.

  • Copy and paste the string into the AKEY value within the index.php file

  • Navigate to the Duo Admin Interface to find integration key, secret key and API hostname.

  • Paste the values into the index.php file where the variables are defined.

Step 4: Open the index.php page through the web server

  • Navigate to the page via a browser (in this case, a local directory as we’re running the demo web server locally).

Breakdown of the key steps of the two-factor authentication function within the index.php file:

  • Step 1 (near bottom of code) handles the primary authentication login; username + login

  • Step 2 (near top of code) generates a sig_request, and loads Duo’s iframe for secondary authentication.

    • Duo’s JavaScript handles setup and communication between the iframe, the user and your server. You just need to add a short snippet of JavaScript code (5:00).

    • A Duo iframe is placed on the page to display the secondary auth prompt.

    • The iframe generates a sig_request and posts it back to the post_action URL, then we call verify sig response to verify that the signed response is legitimate.

  • Step 3: verifyResponse takes the IKEY, SKEY, AKEY and sig_response as inputs, then returns the username of the authenticated user if the response is valid, or null if invalid.

  • After validation, any identifier (cookie, session state or other) can be set to ensure the user has successfully authenticated.

Step 5: Test it out!

  • Login with your username/password

  • On the two-factor authentication screen prompt, choose your authenticator:

  • Complete the authentication prompt to login.

And you’re good to go. You’ve set up two-factor authentication using Duo’s web SDK for your web application! Go forth and protect your user accounts.