Implementing Duo two-factor authentication into your site involves splitting your login handler into two parts. You should be familiar with your web application's programming language and authentication process.
For example, a typical single factor login process looks something like this:
After adding Duo authentication it will look more like this:
To use a different language not available as an SDK or to create your Duo integration without using one of our SDKs, see the OIDC Auth API.
Duo's next-generation authentication experience, the Universal Prompt, is coming to web-based applications that display the current Duo Prompt in browsers. Migration of Web SDK v2 applications to Web SDK v4 is a prerequisite for enabling the future Universal Prompt experience.
Migration to Universal Prompt for your Duo Web application will be a two-step process:
If you're creating a Duo Web application for the first time, building it with the Duo Web v4 SDK ensures it will support the Universal Prompt in the future.
The "Universal Prompt" section on the details page of your new Duo Web SDK application shows the status as "Waiting on Duo" with the information that the application supports Universal Prompt. Build your new Duo integration with the v4 Web SDK so that it's ready for the Universal Prompt.
The "Universal Prompt" section on the details page of your existing Duo Web v2 iframe application indicates availability of the Web SDK v4 update.
Once you update your Duo integration to use Web SDK v4, and a user authenticates to that existing application via the frameless Duo v4 SDK, the "Universal Prompt" section of the Duo Web application page reflects a status change to "Waiting on Duo" with the information that the application now supports Universal Prompt. In addition, the "Integration key" and "Secret key" property labels for the application update to "Client ID" and "Client secret" respectively. The values for these properties remain the same.
When the Universal Prompt becomes available, you'll return here to activate it for users of this application. The status will change to "New Prompt Ready", and you'll see the control here for turning it on or off. Until then, your users continue to experience the current Duo prompt.
Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications that will have Universal Prompt support.
Watch the Duo Blog for future updates about the Duo Universal Prompt.
If you're interested in participating in a private preview of the Universal Prompt experience once your Duo Web SDK application shows the "Waiting on Duo" status, please apply using this form.
See the Universal Prompt Update Guide for an overview of the new Universal Prompt and its advantages over the previous Web SDK.
The Web SDK 4 Universal Prompt Web SDK is a brand new experience with a substantially different integration flow from the previous Web SDK 2.
Web SDK 4 has some key technical differences from Web SDK 2:
client secretinstead of an
skey(note that these are the same values, relabeled with new names in v4).
If you already have an existing Web SDK application, you do not need to create a new one to migrate it to Web SDK 4. You may reuse that existing integration with your Web SDK v4 updated application.
Note: After upgrading your Application to use Web SDK 4, the Duo Prompt will have identical appearance and functionality as the Web SDK 2 prompt. Enabling the new Universal Prompt (when made available by Duo) will be a separate step, outlined in the Duo Universal Prompt Update Guide.
To begin development with a new Duo Web SDK integration:
Log in to the Duo Admin Panel and navigate to Applications.
Click Protect an Application and locate the 2FA-only entry for Web SDK in the applications list. Click Protect to the far-right to configure the application and get your Client ID, Client secret, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
Previously, the Client ID was called the "Integration key" and the Client secret was called the "Secret key".
Use NTP to ensure that your server's time is correct.
This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.
Client libraries are currently offered for Python, Java and PHP. To integrate with another language, please see the Duo OIDC-based API documentation.
Issue the following command:
pip install duo_universal
Refer to the Duo Universal Prompt Python sample project for a complete example of how to use the SDK.
View the Duo Universal Prompt Java example project for a complete example of how to use the SDK.
Add the following to the
<dependencies> section of your
<dependency> <groupId>com.duosecurity</groupId> <artifactId>duo-universal-sdk</artifactId> <version>1.0.3</version> </dependency>
Add the following to the
dependencies section of your
implementation group: "com.duosecurity", name: "duo-universal-sdk", version: "1.0.3"
Find the latest jar on the duo_universal_java Github releases page.
Issue the following command:
composer require duosecurity/duo_universal
Refer to the Duo Universal Prompt PHP example project for a complete example of how to use the SDK.
After you perform primary authentication (e.g. look up a user's username and password in your database), you should create a
Client() object which initializes the secondary authentication process.
Client() takes your Duo Web application's Client ID (or Integration key) as
client_id, Client secret (or Secret key) as
client_secret, and API hostname as
api_host information from the Duo Admin Panel, as well as a
redirect uri which Duo will use to redirect back to your application after authentication.
The redirect URI will be a separate endpoint on your service that listens for the Duo Prompt redirection callback. E.g. if your login form is at
https://example.com:8080/login, then your
redirect uri could be
https://example.com:8080/duo-callback. This URI does not need to be publicly accessible by Duo, it will only be accessed from the end-user’s web browser. Must be a well-formed with a valid HTTPS URL and port, using a hostname (not an IP address).
import duo_universal duo_client = duo_universal.Client(client_id, client_secret, api_host, redirect_uri)
The security of your Duo application is tied to the security of your client secret (secret key). Treat these pieces of data like a password. They should be stored in a secure manner with limited access, whether that is in a database, a file on disk, or another storage mechanism. Always transfer them via secure channels, and do not send them over unencrypted email, enter them into chat channels, or include them in other communications with Duo.
A call to
health_check() determines if Duo’s servers are accessible and available to accept the 2FA request. If Duo’s servers are inaccessible for any reason (e.g. networking issues, services outage), this method raises an error, and your application can decide how to proceed (i.e. to “Fail Open” and allow the login without completing Duo authentication, or to “Fail Closed” and prohibit the login completely).
try: duo_client.health_check() except DuoException: # Either allow login without 2FA, or abort the login process
generate_state() generates a session identifier. This identifier will be passed to Duo, and should also be stored locally in your code use later to validate Duo's responses. The validation will occur in a different endpoint / web request, so you should store the state in your web framework’s session.
state = duo_client.generate_state() flask.session[‘state’] = state
create_auth_url() takes the user’s username and the previously generated
state and returns a URL to a Duo-hosted endpoint.
prompt_uri = duo_client.create_auth_url(username, state)
Redirect the client web browser to the previously created URI. This is where the end-user is shown the Duo Prompt to complete their authentication. The redirect code is specific to your web framework.
After Duo successfully verifies the user — authentication approval via phone call, SMS passcode, Duo Push, etc. or permitted access with bypass of interactive authentication after Duo policy evaluation — their browser is then redirected to the
redirect_uri specified earlier in the
Client() object. This URI should be an endpoint in your service which completes the remainder of the end-user’s login.
This request includes two GET parameters in the SDK:
@app.route("/duo-callback") def duo_callback(): state = request.args.get('state') code = request.args.get('duo_code')
state parameter value received from the redirect should be validated against the previously saved
state value. If they don't match, this indicates a security issue and the login attempt should be aborted.
if state != flask.session['state']: # Abort login attempt
exchange_authorization_code_for_2fa_result() takes the
code parameter from the previous step, as well as the
username. This method calls Duo’s service to have your server validate that the user successfully authenticated with Duo.
This method raises a
DuoException if the user fails Duo authentication for any reason. If it does not raise an error, then the user has successfully completed Duo authentication. The returned token object contains metadata about the authentication.
try: decoded_token = duo_client.exchange_authorization_code_for_2fa_result(code, username) except DuoException as e: # Handle authentication failure. # User successfully passed Duo authentication.