Skip navigation
Documentation

Getting Started with Duo Security

Last Updated: April 18th, 2025

Contents

Add robust two-factor authentication to your VPN, email, web portal, cloud services, etc. with Duo. After successful primary authentication, your users simply and securely approve a secondary authentication request using a platform authenticator like Touch ID or Windows Hello, a WebAuthn security key, or a request pushed to our Duo Mobile smartphone app. Users may also authenticate by answering a phone call or by entering a one-time passcode generated by the Duo Mobile app, a compatible hardware token, or received via SMS.

Try Duo for Free

With a free 30-day trial of our Duo Advantage plan, you can see for yourself how easy it is to get started with Duo's trusted access.

Your Duo Advantage trial comes with most of the features and functionality of a paid Duo Advantage subscription like:

New Duo customer accounts don't automatically receive voice telephony. That means you won't be able to use phone calls as a two-factor authentication method for both administrators and end users. Duo Push, SMS passcodes, security keys, and hardware tokens all remain available.

You also won't be able to make these user messaging customizations:

If you require telephony or customized email and SMS messaging as part of your Duo evaluation or subscription, please contact your Duo sales executive or Duo Support.

During your 30-day Duo Advantage trial, you may choose to explore Duo Premier edition instead. To convert your Duo Advantage trial to a Duo Premier trial, visit the "Billing" page in the Duo Admin Panel once you've logged in and click Try It Free under the Duo Premier plan description.

When your Duo Advantage trial ends, your account switches to the Duo Free plan automatically. You can continue using your Duo Free plan for up to 10 users at no cost. Paid features you enabled during your trial no longer have any effect. If you convert this free account to a paid subscription, we'll restore the settings created during the trial.

Guided Onboarding

Duo is committed to providing you with the best experience possible. We want to be sure you have what you need, whether that be guidance on how to use our product, or where to go for help. The Duo Admin Panel now contains new admin onboarding journeys to guide you through enrollment, setup, deployment, optimization, and monitoring your security setup.

To access guided onboarding, first click on the Optimize button at the top of your dashboard page.

  • The Optimize button directs you to the "Optimize your setup" home page. Journeys available to you will be listed in the second-left navigation panel. Each journey is comprised of multiple steps which may be listed as “Required” (default), “Optional”, “Caution”, or “Recommended”.
  • “Caution”, “Optional”, and “Recommended” steps may be skipped and, in some cases, may be manually marked as “Complete”. Each journey guides you through a specific set of tasks to achieve important milestones in your Duo setup. Each task links you to the "Admin Panel" page where you can perform the action described. If there is not a specific page in the application that corresponds to the task, documentation links will be provided.
Duo Optimization Progress

The journeys offered correspond with different parts of the product based on your Duo edition and the features implemented within your organization.

Get Started with Duo

  1. Tell us about your current setup.

    • Which identity providers are you using today?
    • Select the identity providers you use today to be directed to platform-specific setup instructions for those providers, such as automated integration setup or documentation links. If you do not wish to perform this task, you may select None and move to the next step.
    Optimize Journey 1
  2. Add your first user and application.

    • Add a test user or group.
      • Enroll your pilot users in Duo. We provide several methods for enrollment. Some applications also support self-enrollment by users in the Duo Universal Prompt when they access the protected service.

    Your Duo administrator login can't also be used to log into the service or device now protected by a Duo application, so don't forget to enroll a Duo user account for yourself now, or complete user self-enrollment after you set up your first Duo application in the next step.

    • Add an application.

      • Decide which service, system, or appliance you want to protect with Duo as a test. We recommend testing with a non-production application to start.

      Note: Effective June 30, 2023, Duo's cloud service no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. If you are unsure how this may affect your Duo deployment plans, please see the Duo Knowledge Base article to TLS support for Duo applications and TLS 1.0 and 1.1 end of support for additional information.

    • Check global policy.

      • This link will take you to the "Policies" page, where you can change default settings in the Global Policy, such as allowed authentication methods, or create new custom policies for application access and user management.
  3. Expand to other users and applications.

    • Add more users or groups. If you are using an external user directory you can add it to Duo as a source for directory sync. Syncing your external directory will import users so they don't need to be created manually, and import groups that you can use to assign application access or target with custom policies. Once two or more users or groups are detected, or a user directory sync selected in the “Tell us about your current setup” section is set up, this step will automatically complete.

    • Add more applications (Optional).

    • This task will take you to the to the "Protect an application" page so that you may repeat the setup steps with multiple applications. This is an optional step and may be skipped.

    • Customize branding and enrollment email (Recommended).

    • Add your company logo and custom text for a clear enrollment and authentication experience on the "Settings" page. This step will automatically complete if a logo or brand image is set.

    Note: This step can be done prior to sending your first test enrollment or can be done within this flow. Duo recommends that branding setup is completed prior to sending enrollment links to production users.

  4. Support identity providers (Optional).

    • Configure a Duo Single Sign-On (SSO) authentication source.
    • This step will guide you in setting up an authentication source. This step is optional and may be skipped. Once an Active Directory or SAML provider authentication source for SSO is created, this task will auto-complete.
    • Once you configure Duo SSO authentication we encourage you to test SSO authentication with Duo Central.

Set Up Additional Administrators

  1. Add administrators.

    Optimize Journey 1
    • Add a second account owner.

      • This task will take you through the process of adding a second administrator with the "Owner" role to avoid account lockout. This step will complete once a second owner is activated.
    • Add more administrators (Optional)

      • This step will guide you to the "Add Administrator" page which will allow you to add an additional administrators and assign them a specific administrative role. Once an additional administrator has been configured this step will complete.
  2. Configure Duo Admin Panel Login (Optional)

    • Customize Admin Panel Login settings.

      • This step will take you to the "Administrator Login Settings" page to configure authentication methods and administrator access. SMS, voice, and Duo Mobile passcodes are disabled as administrator authentication methods for new accounts.
    • Configure Admin Panel SSO.

      • This step will allow you to log in the Duo Admin Panel using Duo Single Sign-On, Microsoft Entra ID, Google, or other SAML 2.0 providers.
  3. Configure administrator permissions (Optional).

    • Assign Administrative Units.
      • This step will take you to the "Administrative Units" page which enables you to granularly control which of your Duo administrators can manage specific applications and groups.

Establish Device Trust

  1. Ensure device health with Duo Desktop.

    Optimize Journey 1
    • Create a policy to require Duo Desktop.

      • This step will take you to "Policies" page and from there you can require the Duo Desktop app for Linux, macOS, or Windows. Once any of these are set this step will auto-complete.
      • Additionally, you may choose to require device registration using Duo Desktop.
    • Apply the Duo Desktop policy to a test group.

      • This step will take you to "Policies" page where you can configure and assign a policy for specific applications and groups.
    • Deploy the Duo Desktop app to users’ devices.

      • This step will take you to the "Device Registration" page where you may choose to require device registration using Duo Desktop.
  2. Enable device trust using Trusted Endpoints.

    • Set up Duo Desktop.

      • This step will take you to the "Duo Desktop" page where you can learn more about how Duo Desktop and Trusted Endpoints are configured and monitored.
    • Configure mobile or desktop integration.

      • From this step you may add integrations to serve as management tools for your devices, including Duo Mobile. Once a device management tool is added this step will auto-complete. Additionally, if you add the integration as active, this will auto-complete the “Turn on integration” next step.
    • Turn on integration.

      • This step is a follow-up to the previous step. Once you have added a device management tool integration, click on the underlined blue integration title. This will take you to the integration configuration page where you can make the integration active.
    • Apply trusted endpoints policy to a test group (Optional).

      • This step is a continuation of the previous two steps. Once you have added an active device management tool integration, click on the underlined blue integration title. This will take you to the integration configuration page where you can test with a group or activate for all.
    • Apply trusted endpoints policy to an application or group.

      • This step is a continuation of the previous three steps. Once you have added an active device management tool integration, click on the underlined blue integration title. This will take you to the integration configuration page where you can test with a group or activate for all. Once the “Activate for all” option is selected, this step will auto-complete.
  3. Protect local and remote logins with OS Logon (Optional).

    • Create an application for the operating system (OS) clients you want to protect.

      • This step will take you to the "Protect an Application" page where you can create applications to protect Windows, macOS, or Unix/Linux operating systems.
    • Enable Offline Access (for Windows Logon or macOS Caution

      • This step takes you to the "Applications" page which will show you which applications you have already created. Click on the application you wish to configure. On the application configuration page there is a section titled “Offline Access Settings” where you can enable offline login and enrollment. This step is given a “Caution” label since offline authentication is less secure than traditional online methods and should be used sparingly.
    • Configure Passwordless OS Logon for Windows.

      • This step is a continuation of the previous step. On the "Applications" page, click on a "Microsoft RDP" application. On that application's details page there is a section titled “Passwordless Settings” where you can allow passwordless login to Windows via Duo Push. When enabled, your users will have the option of enrolling in Passwordless for OS Logon. Duo Push is required for Passwordless to work. If Duo Push is disabled in the effective policy for the application, your users will fall back to password logon.
    • Enable remembered devices for Windows logon (Recommended).

      • This step is a continuation of the previous step. On the "Microsoft RDP" application's details page there is a section for policy. Click on the Edit Global Policy button under the Global policy section. On the left navigation bar under “Devices” there is a link titled “Remembered Devices”. Click here to be taken to the remembered devices policy configuration section, where you should enable the Remember devices for Windows Logon setting. This is a recommended step as it eliminates multiple 2FA requests within the configured parameters which makes accessing applications or networks easier and faster while still being trusted.
    • Deploy install file to a test machine, then desired machines.

      • This is a manual step that serves as the final step in deployment. Download the installer for the application from Duo and distribute it to your target client systems. Once you have completed your deployment you may manually mark this step complete to indicate that the journey is completed.

Next Steps

Now that you've experienced the ease of adding Duo protection to a test application, your next step is planning a full Duo deployment.

We've prepared a Liftoff guide that walks you through the stages of a typical organization Duo rollout.

Liftoff Progress Bar

Our Liftoff guide includes timelines and milestones, configuration best practices, tips for employee communications and training your support staff, and more!

Duo Deployment Timeline

Other Resources

Questions? Check our administration documentation and the rest of our documentation collections, the Duo knowledge base, or contact Support for help.