The illustration below outlines the basic steps in a successful two-factor authentication event. For a comprehensive description of Duo features, please review the Duo documentation.
To utilize two-factor authentication,
The following is a very generalized explanation of the two-factor authentication process. Information for specific types of service integrations are available on Duo's website.
When a Subject navigates to a two-factor Service Provider, the Service Provider initiates the login process.
The login process is a two step process that starts with verification of the Subject's NetID and password. The Subject enters and submits his or her NetID and password.
The Service Provider submits the Credential to the Credential Store for verification. If the Credential is valid, the Primary Authentication is successful.
After the Subject successfully authenticates with the NetID/password pair, the Service Provider initiates the secondary authentication process by generating an authentication request. The request is a HMAC-SHA1 of the username, integration key and an expiration timestamp, using the integration's secret key as the HMAC key.
Once generated, contact with the Duo server is initiated and Duo prompts the Subject to select an authentication mechanism. The options presented to the Subject will depend on the devices that the Subject previously registered with Duo.
If a Subject has not previously registered their devices, Service Providers can allow Subjects to be prompted to register at the time the Subject attempts to access the service. Subject Providers also have the option of refusing to allow Subjects to access the service if they are not previously registered.
Subjects are encouraged to register multiple devices to provide backup authentication avenues if something happens to their primary device. Once the Subject selects an authentication mechanism, Duo sends an authentication request to Subject's device.
Specific steps followed by the Subject to complete the Duo authentication event will vary depending on the selected mechanism. Once completed, Duo notifies the Service Provider that the authentication event has been completed.
For some integrations, the Service Provider will perform an additional step of verifying that the notification received from Duo is legitimate.