# MFA with Cisco Duo Duo Security is available as a multi-factor authentication (MFA) option for your StrongDM users. This guide describes how to set up and configure MFA using Duo. ### Set Up Duo The first part of the setup process takes place in the [Duo Admin panel](https://admin.duosecurity.com/login). Log in as an administrator of your Duo account and perform the following steps. 1. Go to **Applications** and click **Protect an Application**.\ ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-d8e6bb785134324f79024bcc51087c2353097f63%2Fduo-applications.png?alt=media) 2. From the list of application types, find **Web SDK** and click **Protect**. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-6e78f53af9f467ae644a2eede350789422ba9156%2Fduo-web-sdk.png?alt=media) 3. Be sure to note the client ID, client secret, and API hostname, as they are needed later. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-50c686a042c42216620c6a7b1f9086660b690299%2Fduo-details.png?alt=media) 4. Under **Settings**, set up the policy, name, voice greeting, and other options according to your organization's preferences. 5. Save changes. You are done here. Keep this browser window open to copy the key and API information when setting up StrongDM in the next section. ### Set Up StrongDM The setup continues in the StrongDM Admin UI. 1. Go to **Settings**, then **Security**, and scroll down to **Multi-factor Authentication**. 2. Click to unlock the fields and allow changes. Then select **Duo** from the dropdown menu. 3. Using the values you noted in the Duo Admin panel, paste the client ID into the **Integration Key** field, the client secret into the **Secret Key** field, and API hostname into the **Duo API URL** field. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-e1632fdb8dcaf9057e49b4135df6d04ccab607ef%2Fmfa-setup.png?alt=media) 4. Click **Test** to test the MFA settings. This requires your admin account to be registered as a user in Duo. {% hint style="warning" %} Ensure that **Test MFA** is successful before activating MFA or your admin account may become locked out! {% endhint %} ### Log in With Duo MFA Enabled The login process once Duo MFA is enabled includes only one change. After entering the username and password, the login page contains a "Waiting for MFA..." message, which displays until the Duo challenge is accepted. The process of logging in to the desktop app or the CLI with Duo MFA enabled is similarly altered. ### Register a New User With Duo MFA Enabled When Duo MFA is enabled, the new user registration process halts when the user clicks the link in the invitation email, and then displays a link to the Duo self-enrollment process. Once the enrollment steps are complete, the user can return to the StrongDM window to finalize the login process. ### Troubleshoot MFA With Duo You may run into issues authenticating your StrongDM account with Duo MFA enabled. The following topics can help you troubleshoot any errors you receive while logging in. #### MFA alongside SSO When you set up an SSO provider to authenticate with StrongDM and also enable MFA in the Admin UI, MFA prompts during logins do not occur. In this scenario, your configured MFA only plays a role to re-authenticate users when the desktop app locks due to inactivity, not during normal login attempts. If using SSO, we recommend setting up MFA through your SSO provider to also trigger MFA prompts during user logins. #### Duo username mismatch with StrongDM username If a username in Duo does not match a StrongDM username (which is typically an email address), you need to create an alias in Duo for that user. These usernames must match to take advantage of Duo MFA for a particular user. #### Authentication errors with Duo | Error | Description | Resolution | | ------------------------------------------- | ------------------------------------------------------------ | ----------------------------------------------------------- | | Could not find a valid MFA device | Your Duo-configured device cannot receive push alerts. | Contact your Duo administrator to register another device. | | Could not push a notification to MFA device | Duo was not able to send a push to your device. | Contact your Duo administrator. | | Invalid MFA configuration | Your organization's MFA configuration is not correct. | Contact your StrongDM administrator. | | MFA denied access | When the push alert arrived, you denied access. | Log in again and accept when the push arrives. | | MFA did not return a response in time | Duo did not receive an accept/deny from your device in time. | Try logging in again and accept/deny when the push arrives. | | MFA refused to authenticate this user | Duo has preemptively denied authentication. | Contact your Duo administrator. | | User not enrolled in MFA | You are not enrolled with Duo. | Contact your Duo administrator. | #### New device setup or reset If you get a new mobile device or have to reset your existing device, you may be unable to log in to your Duo-protected account. If this situation occurs, please contact your organization's Duo administrator to provision your device. {% hint style="warning" %} Unfortunately, StrongDM is unable to assist with enrolling individual end-user devices for MFA. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/principals/mfa/mfa-duo.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.