skip to main content

Authentication & Authorization Services

Two-Factor Authentication

Duo's Two-Factor Authentication

The illustration below outlines the basic steps in a successful two-factor authentication event. For a comprehensive description of Duo features, please review the Duo documentation.

Diagram of steps in Duo two-factor authentication event

Preliminary Step: Service Provider Duo-enables their site

To utilize two-factor authentication,

  • Web-based Service Providers will:
    • CAS-enable the Service Provider site. As with single-factor authentication, CAS will handle all steps in the two-factor authentication process.
    • Update logic used to parse CAS payload to consume the two-factor authentication information and enforce two-factor if required for the service.
  • Other types of Service Providers will:
    • Register the service and obtain an integration key and secret key.
    • Add a Duo client to the core service code or configure service to prompt for second authentication event.
    • Configure the Duo client.

The following is a very generalized explanation of the two-factor authentication process. Information for specific types of service integrations are available on Duo's website.

Step 1: Subject attempts to access a two-factor authN Service Provider site

When a Subject navigates to a two-factor Service Provider, the Service Provider initiates the login process.

Step 2 (Primary Authentication): Subject submits NetID and password

The login process is a two step process that starts with verification of the Subject's NetID and password. The Subject enters and submits his or her NetID and password.

Step 3 (Primary Authentication): Service Provider validates the Credential

The Service Provider submits the Credential to the Credential Store for verification. If the Credential is valid, the Primary Authentication is successful.

Step 4 (Secondary Authentication): Service Provider submits an authentication request to Duo

After the Subject successfully authenticates with the NetID/password pair, the Service Provider initiates the secondary authentication process by generating an authentication request. The request is a HMAC-SHA1 of the username, integration key and an expiration timestamp, using the integration's secret key as the HMAC key.

Once generated, contact with the Duo server is initiated and Duo prompts the Subject to select an authentication mechanism. The options presented to the Subject will depend on the devices that the Subject previously registered with Duo.

If a Subject has not previously registered their devices, Service Providers can allow Subjects to be prompted to register at the time the Subject attempts to access the service. Subject Providers also have the option of refusing to allow Subjects to access the service if they are not previously registered.

Step 5 (Secondary Authentication): Subject selects Secondary Authentication mechanism

Subjects are encouraged to register multiple devices to provide backup authentication avenues if something happens to their primary device. Once the Subject selects an authentication mechanism, Duo sends an authentication request to Subject's device.

Step 6 (Secondary Authentication): Subject completes Secondary Authentication request

Specific steps followed by the Subject to complete the Duo authentication event will vary depending on the selected mechanism. Once completed, Duo notifies the Service Provider that the authentication event has been completed.

For some integrations, the Service Provider will perform an additional step of verifying that the notification received from Duo is legitimate.