Getting Started with Duo

With broad application support, Duo protects access to your organization's resources like VPN, email, web portals, cloud services, local operating system logins, etc. After successful primary authentication against the identity store of your choice, your users simply and securely complete multi-factor authentication using a platform authenticator like Touch ID or Windows Hello, a WebAuthn security key, or a request pushed to our Duo Mobile smartphone app. Users may also authenticate by answering a phone call or by entering a one-time passcode generated by the Duo Mobile app, a compatible hardware token, or received via SMS. Device policies verify that only the systems you trust can access your resources.

Try Duo for Free

With a free 30-day trial of our Duo Advantage plan, you can see for yourself how easy it is to get started with Duo's trusted access.

Your Duo Advantage trial comes with most of the features and functionality of a paid Duo Advantage subscription like:

• Your choice of primary identity store, including hosting user identities in Duo Directory.
• Single Sign-On and Passwordless
• Risk-Based Authentication and Trust Monitor
• Identity Security
• Full access to Duo's Auth API, Admin API, and Web SDK
• And more!

New Duo customer accounts don't automatically receive voice telephony. That means you won't be able to use phone calls as a two-factor authentication method for both administrators and end users. Duo Push, SMS passcodes, security keys, and hardware tokens all remain available.

You also won't be able to make these user messaging customizations:

• Changes to enrollment email text set in the global Settings or during bulk enrollment
• Changes to the text of the Duo Mobile activation email or SMS messages
• Changes to the SMS message prefix

If you require telephony or customized email and SMS messaging as part of your Duo evaluation or subscription, please contact your Duo sales executive or Duo Support.

During your 30-day Duo Advantage trial, you may choose to explore Duo Premier edition instead. To convert your Duo Advantage trial to a Duo Premier trial, visit the "Billing" page in the Duo Admin Panel once you've logged in and click Try It Free under the Duo Premier plan description.

When your Duo Advantage trial ends, your account switches to the Duo Free plan automatically. You can continue using your Duo Free plan for up to 10 users at no cost. Paid features you enabled during your trial no longer have any effect. If you convert this free account to a paid subscription, we'll restore the settings created during the trial.

Guided Onboarding

Duo commits to providing you with the best experience possible. We want to be sure you have what you need, whether that be guidance on how to use our product or knowing where to go for help. The Duo Admin Panel onboarding journeys guide you through enrollment, setup, deployment, optimization, and monitoring your security setup.

To access guided onboarding:

1. Log in to the Duo Admin Panel.

2. Click on the Optimize button at the top of your Duo dashboard.

3. Click Optimize your setup.

The second-left navigation panel lists the onboarding journeys available to you. Each journey comprises multiple steps, shown as “Required” (default), “Optional”, “Caution”, or “Recommended”.

“Caution”, “Optional”, and “Recommended” steps may be skipped and, in some cases, may be manually marked as “Complete”. Each journey guides you through a specific set of tasks to achieve important milestones in your Duo setup. Each task links you to the "Admin Panel" page where you can perform the action described. If there is not a specific page in the application that corresponds to the task, documentation links will be provided.

The journeys offered correspond with different parts of the product based on your Duo edition and the features implemented within your organization.

Get Started with Duo

This journey guides you through basic setup steps for your Duo account.

1. Tell us about your current setup.

   • Which identity providers are you using today?
   • Select the identity providers you use today to review platform-specific setup instructions for those providers, such as automated integration setup or documentation links. If you do not wish to perform this task, you may select None and move to the next step.

2. Add your first user and application.

   • Add a test user or group.

     • Enroll your pilot users in Duo. We provide several methods for enrollment. Some applications also support self-enrollment by users in the Duo Universal Prompt when they access the protected service.

       Your Duo administrator login can't also be used to log into the service or device now protected by a Duo application, so don't forget to enroll a Duo user account for yourself now, or complete user self-enrollment after you set up your first Duo application in the next step.

   • Confirm password rules.

     • If you plan to host your users in Duo and want them to use passwords for authentication, configure the password options in your enrollment policy.

   • Test authentication with Duo Central.

     • Duo Central is a cloud-hosted portal that your users can visit to get access to your organization's applications and links or perform self-service device management tasks. Visit the Duo Central configuration page in the Admin Panel to find your Duo Central URL. Test user enrollment and access by logging in as one of the pilot users you created earlier.

       You can customize the subdomain in your Duo Central URL later in your Duo Single Sign-On settings.

   • Add an application.

     • Decide which service, system, or appliance you want to protect with Duo as a test. We recommend testing with a non-production application to start.

       Note: Effective June 30, 2023, Duo's cloud service no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. If you are unsure how this may affect your Duo deployment plans, please see the Duo Knowledge Base article to TLS support for Duo applications and TLS 1.0 and 1.1 end of support for additional information.

   • Check global policy.

     • This link will take you to the "Policies" page, where you can change default settings in the Global Policy, such as allowed authentication methods, or create new custom policies for application access and user management.

3. Expand to other users and applications.

   • Add more users or groups.

     • If you are using an external user directory you can add it to Duo as a source for directory sync. Syncing your external directory will import users so they don't need to be created manually, and import groups that you can use to assign application access or target with custom policies. Once two or more users or groups are detected, or a user directory sync selected in the “Tell us about your current setup” section is set up, this step will automatically complete.

   • Add more applications (Optional).

     • This task will take you to the to the "Application Catalog" page so that you may repeat the setup steps with multiple applications. This is an optional step.

   • Customize user schema.

     • Optionally create custom user attributes. Values for these custom attributes may be populated in Duo or imported from external directories.

   • Customize branding and enrollment email (Recommended).

     • Add your company logo and custom text for a clear enrollment and authentication experience on the "Settings" page. This step will automatically complete once you set a custom logo or brand image.

     Note: You can customize your branding before sending your first test enrollment, or can be done within this flow. We recommend that you complete branding setup before sending enrollment links to production users.

4. Support identity providers (Optional).

   • Configure an SSO authentication source.

     • This step will guide you in setting up an external source for SSO applications. Once an Active Directory or SAML provider authentication source for SSO is created, this task will auto-complete.

   • Set routing rules.

     • Routing rules direct your users to the correct authentication source when you have multiple sources present in your SSO configuration.

Set Up Your Administrators

This journey further secures administrator access to your Duo account.

1. Add administrators.

   • Add a second account owner.

     • This task will take you through the process of adding a second administrator with the "Owner" role to avoid account lockout. This step will complete once a second owner is activated.

   • Add more administrators (Optional).

     • This step will guide you to the "Add Administrator" page which will allow you to add additional administrators and assign them specific administrative roles. Once an additional administrator has been configured this step will complete.

2. Configure Duo Admin Panel Login (Optional).

   • Customize Admin Panel Login settings.

     • This step will take you to the "Administrator Login Settings" page to configure admin password requirements, authentication methods, and access options. New accounts have SMS, voice, and Duo Mobile passcodes administrator authentication methods disabled by default.

   • Configure Admin Panel SSO.

     • This step will allow you to log in the Duo Admin Panel using Duo Single Sign-On, Microsoft Entra ID, Google, or other SAML 2.0 providers.

3. Configure administrator permissions (Optional).

   • Assign Administrative Units.
     • Granularly control which of your Duo administrators can manage specific applications and groups with Administrative Units.

Establish Device Trust

This journey configures device access policies and protecting operating system logons.

1. Ensure device health with Duo Desktop.

   • Create a policy to require Duo Desktop.

     • This step will take you to "Policies" page and from there you can require the Duo Desktop app for Linux, macOS, or Windows. Once any of these are set this step will auto-complete.
     • Additionally, you may choose to require device registration using Duo Desktop.

   • Apply policy to a test group.

     • This step will take you to "Policies" page where you can configure and assign a policy for specific applications and groups.

   • Deploy the Duo Desktop app to users’ devices.

     • This step will take you to the "Device Registration" page where you may choose to require device registration using Duo Desktop.

2. Enable device trust using Trusted Endpoints.

   • Set up Duo Desktop.

     • This step will take you to the "Duo Desktop" page where you can learn more about how Duo Desktop and Trusted Endpoints are configured and monitored.

   • Configure mobile or desktop integration.

     • From this step you may add integrations to serve as management tools for your devices, including Duo Mobile. Once a device management tool is added this step will auto-complete. Additionally, if you add the integration as active, this will auto-complete the “Turn on integration” next step.

   • Turn on integration.

     • This step is a follow-up to the previous step. Once you have added a device management tool integration, click on the underlined blue integration title. This will take you to the integration configuration page where you can make the integration active.

   • Apply Trusted Endpoints policy to a test group (Optional).

     • This step is a continuation of the previous two steps. Once you have added an active device management tool integration, click on the underlined blue integration title. This will take you to the integration configuration page where you can test with a group or activate for all.

   • Apply Trusted Endpoints policy to an application or group.

     • This step is a continuation of the previous three steps. Once you have added an active device management tool integration, click on the underlined blue integration title. This will take you to the integration configuration page where you can test with a group or activate for all. Once the “Activate for all” option is selected, this step will auto-complete.

3. Protect local and remote logins with OS Logon (Optional).

   • Create an application for the OS clients you want to protect.

     • This step will take you to the "Application Catalog" page where you can create applications to protect Windows, macOS, or Unix/Linux operating system local or remote logons.

   • Enable Offline Access (for Windows Logon or macOS) Caution

     • This step takes you to the "Applications" page which will show you which applications you have already created. Click on the application you wish to configure. On the application configuration page there is a section titled “Offline Access Settings” where you can enable offline login and enrollment. This step is given a “Caution” label since offline authentication is less secure than traditional online methods and should be used sparingly.

   • Configure Passwordless Windows Logon.

     • This step is a continuation of the previous step. On the "Applications" page, click on a "Microsoft RDP" application. On that application's details page there is a section titled “Passwordless Settings” where you can allow passwordless login to Windows via Duo Push. When enabled, your users will have the option of enrolling in Passwordless for OS Logon. Duo Push is required for Passwordless to work. If Duo Push is disabled in the effective policy for the application, your users will fall back to password logon.

   • Enable Remembered Devices for Windows logon (Recommended).

     • This step is a continuation of the previous step. On the "Microsoft RDP" application's details page there is a section for policy. Click on the Edit Global Policy button under the Global policy section. On the left navigation bar under “Devices” there is a link titled “Remembered Devices”. Click here to be taken to the remembered devices policy configuration section, where you should enable the Remember devices for Windows Logon setting. This is a recommended step as it eliminates multiple 2FA requests within the configured parameters which makes accessing applications or networks easier and faster while still being trusted.

   • Deploy install file to a test machine, then desired machines.

     • This is a manual step that serves as the final step in deployment. Download the installer for the application from Duo and distribute it to your target client systems. Once you have completed your deployment you may manually mark this step complete to indicate that the journey is completed.

Next Steps

Now that you've experienced the ease of adding Duo protection to a test application and logging in to the application with Duo authentication, your next step is planning a full Duo deployment.

We've prepared a Liftoff guide that walks you through the stages of a typical organization Duo rollout.

Our Liftoff guide includes timelines and milestones, configuration best practices, tips for employee communications and training your support staff, and more!

Other Resources

Questions? Check our administration documentation and the rest of our documentation collections, the Duo Knowledge Base, or contact Duo Support for help.