Skip navigation

Identity Verification

Last updated:

Overview

Duo Identity Verification is a Beta feature.

To help protect organizations from the ever-growing threat of social engineering attacks, Duo integrates with Persona to offer integrated identity verification (IDV) workflows which provide high-assurance of user identities before allowing critical workforce user lifecycle actions in your organization.

Identity verification is part of the Duo Premier, Duo Advantage, and Duo Essentials plans.

Identity Verification Use Cases

We've launched the beta phase with help desk verification. Additional use-case support will follow in future releases.

Use Case Description Availability
Help Desk Verification Verify the identity of users who contact your help desk for support. Now
Remote Onboarding Require that users complete identity verification before beginning Duo enrollment. Future
Self-Service Account Recovery Require that users complete identity verification to gain access to the Duo self-service portal (SSP). Future

How Duo Identity Verification Works

  1. Duo’s cloud service sends the user’s first name, last name, and date of birth directly to your organization’s Persona tenant as part of the inquiry creation. These attributes are never transmitted via the end-user browser interaction.

  2. Persona performs these pre-configured verification checks:

    a. Extracted Properties: this ensures extraction of the first name, last name, and date of birth from the government ID to match against the attribute values for the Duo user.

    b. Inquiry Comparison: this checks the user’s ID against the information provided at inquiry creation. This ensures the user who undergoes verification is the Duo user who requested verification.

    Attribute Match Requirement
    First Name Match within 2 characters different, or matches commonly used nickname (Example: "Jim" -> "James" = match)
    Last Name 100% Match
    Date of Birth 100% Match

Do not disable these verification checks! This is critical to the efficacy of the verification. There may be other checks that you may need to enable or disable based on your organization’s needs and configuration, but be sure to leave the pre-configured checks intact.

If you decide to make changes to the configuration, please review Persona’s documentation and work directly with Persona to ensure your check configuration is advisable and secure before implementing them.

Timeouts

These pre-configured timeouts reduce risk of social engineering attacks while allowing legitimate users enough time to complete a verification, including users who may depend on assistive technologies.

  • Access codes for end-users to start a verification are valid for 5 minutes.
  • Users have 20 minutes to complete a verification once they have started.
  • The verification result will remain in the admin panel for 15 minutes before no longer displaying the most recent result.

Prerequisites

  • You must already have a Persona Enterprise plan in place, with "Admin" role access to the Persona dashboard.

    • Persona will load a Duo Identity Verification template with the recommended configuration into your account by request, which simplifies setup. Contact your Persona account team to request the Duo template before you begin the deployment steps.

  • You must have the Duo Owner or Administrator admin role to configure identity verification in the Duo Admin Panel.

  • Users who will perform identity verification must have access to a computer or mobile device with a camera.

Required User Attributes

Identity verification requires that users have these user attributes populated with values:

Admin Panel Attribute Admin API Parameter Description
Email Address email The user's email address.
First Name firstname The user's given name.
Last Name lastname The user's surname or family name.
Date of Birth date_of_birth The user's birthdate in the format YYYY-MM-DD.

You can add these values for users using any of these methods:

Configure Duo Identity Verification

Locate the Persona Inquiry Template ID for Duo

You must have requested the Duo template from Persona before proceeding. Contact your Persona account team if you do not see the template in your dashboard.

  1. Log in to your organization's Persona dashboard as an administrator with the "Admin" role.

  2. Navigate to InquiriesTemplates under the "Identity" section on the left of the dashboard.

  3. Locate the "Duo Identity Verification" template and ensure the template has a "Last published at" timestamp. If not, select the template and click Publish in the upper right.

  4. Keep the Persona dashboard open and proceed to the next section.

Enter the Persona Inquiry Template ID in Duo

  1. In a new browser tab or window, log in to the Duo Admin Panel as an administrator with the Owner or Administrator admin role.

  2. Navigate to UsersIdentity Verification.

  3. Return to the Persona dashboard browser tab or window and copy the "Duo Identity Verification" template ID by clicking on the clipboard icon next to the identifier.

  4. Paste the copied template ID in the Inquiry template ID field in the "Set up IDV" section of the "User Identity Verification" page in the Duo Admin Panel.

  5. Keep the Duo Admin Panel browser tab or window open as you will return to it shortly.

Create a Persona API Key

A Persona API key is necessary to enable communication with Duo.

Treat your API key like a password
Secure it as you would any sensitive credential. If you need to share this key with someone else in your organization, make sure to follow your organization’s procedures for storage and sharing of secret values.

  1. Return to the Persona dashboard browser tab or window.

  2. Navigate to APIAPI Keys under the "Developers" section on the left of the dashboard.

  3. Click + Create API key in the upper right.

  4. Give the new API key a descriptive name, such as "Duo Identity Verification". You can add a note with more information if desired.

  5. Go to the "Permissions" tab and unselect default permissions until you have these four "Action" permissions enabled:

    • Inquiries
    • Verifications
    • Accounts
    • API

  6. Click Save in the upper right to create the new API key, and then click the Copy button to copy the API key to your clipboard.

If you need the key again in the future you can copy it from the "Overview" tab when editing the key’s properties, or from the list of all API keys.

Enter the Persona API Key in Duo

  1. Return to the browser tab or window with the Duo Admin Panel "User Identity Verification" page open.

  2. Paste the API key value you just copied from the Persona dashboard into the API key field in the "Set up IDV" section of the "User Identity Verification" page.

  3. Click Save.

Persona API and Template ID Values in Duo

Enable Identity Verification for Users

After saving the Persona information you can choose to enable identity verification features for all your Duo users, or for select user groups.

  1. Scroll down on the "User Identity Verification" page in the Duo Admin Panel to the "Enable IDV" section.

  2. Choose an option for "Help desk-initiated identity verification":

    • Disable it for all users - (Default) No users will have the identity verification action available for administrators.
    • Enable it for specific groups of users - Members of the Duo groups you select will have the identity verification action available for administrators. Users must have the necessary attributes populated.
    • Enable it for all users - All users with the necessary attributes populated will have the identity verification action available for administrators.
    Enable Help Desk-Initiated User Verification

  3. Click Save after making your selection.

You can return to this page in the future to make changes, such as expanding to additional groups or to switch from selected groups to all users.

Use Help Desk Verification

Once enabled, Duo administrators with the Owner, Administrator, User Manager, Help Desk, or Security Analyst admin roles can initiate identity verification for eligible users who have the necessary attributes populated with values.

  1. Log in to the Duo Admin Panel and navigate to UsersUsers in the left sidebar.

  2. Select a user by clicking their username or use the search bar at the top to locate the user.

  3. If the user has the necessary attributes populated and identity verification has been enabled then you'll see a Verify with government ID link in the top right of the user's details page.

    Identity Verification Link on User Details Page

    If you don't see the link, verify the attribute values and that the help desk-initiated identity verification feature was enabled for all users or that the user is a member of a group enabled for verification.

  4. Click Generate access code on the "Verify <user's name> with a government ID" page.

    Generate Identity Verification Code

    The access code is valid for five minutes. The user will enter the access code generated in the Duo identity verification portal.

    Identity Verification Code Generated

  5. Instruct the user to open https://verify.duo.com in a desktop or mobile device browser, and then to enter the email address they use with Duo and the access code you generated in the Duo Admin Panel.

    Start Duo Identity Verification

  6. Once the user enters their email and access code, they'll click Verify with Persona, which redirects them to Persona to perform identity verification.

    Redirect to Persona for Verification

    In the Duo Admin Panel, you'll see that the user has started the verification process.

    Identity Verification in Progress

  7. At the Persona site, the user will step through the verification process. They will scan their choice of approved government-issued ID and perform facial recognition.

    Start Identity Verification in Persona

    If the user accessed the identity verification portal from a device without a camera, they can click Continue on another device to receive a QR code to scan from a device with a camera and complete the verification process with that other device.

  8. When the user informs you that identity verification completed successfully, click Check for updates on the "Verify <user's name> with a government ID" page in the Duo Admin Panel. You'll see the verification result.

    Duo Identity Verification Completed

    The verification result remains viewable for 15 minutes after completion.

Logging

Locate identity verification events at ReportsActivity Logs. Use the Identity Verifications filter at the top to focus on identity verification events.

Duo Identity Verification Activity Log Events

Click More details for any event to view additional information.

Known Limitations and Planned Improvements

  • The Admin Panel "Verify <user's name> with a government ID" information requires manual refresh with Check for updates or closing and reopening. This information will automatically update as users proceed through the verification process in a future release.

  • The activity log for a completed verification does not yet contain the pass/fail result.

  • There is no activity log when an admin cancels a verification at this time.

  • Inbound Okta SCIM and Google Workspace directory sync to Duo do not include support for importing date of birth information.

  • CSV import does not support importing date of birth information.