Duo's WordPress plugin enables two-factor authentication for WordPress logins.
In a WordPress multisite installation with Duo two-factor authentication configured for "Administrator" role users, users with the "Editor" role (or any role other than "Administrator") may see unexpected prompts for Duo authentication when logging into the primary WordPress site instead of their assigned subdomain site.
This happens because when those "Editor" users log into the primary domain instead of their subdomains the Duo plugin attempts to verify the user's role in the primary domain to determine if two-factor is required for that role. Since the users are not members of the primary domain, Duo is unable find any roles for the user attempting to login and defaults to two-factor authentication.
To correct this, add the subdomain users to the primary domain with their corresponding roles under Network Admin → Sites → Users.
If you can, ssh into the server and use NTP to set the correct time.
If you don't have access to the server (or the permissions needed to run NTP), contact your web host and have them correct the server time.
Note: the WordPress timezone setting is irrelevant here.
While logged in as the WordPress network admin, navigate to My Sites → Network Admin → Plugins. Install the Duo two-factor authentication plugin using the directions on the main page and click Network Activate after installation. Proceed with multisite configuration after activating the plugin.
Browse to Settings → Network Settings. Scroll down the page to the "Duo Security" section. Copy and paste your integration key, secret key, and API hostname from the Duo WordPress application's page in the Duo Admin Panel. You may select which WordPress user roles need to authenticate using Duo.
To fully secure your WordPress site Duo recommends that you disable XML-RPC. However, this will prevent use of offline Weblog clients and the WordPress mobile app.
Click Save Changes to complete configuration.