Duo is ending support for the traditional Duo two-factor authentication prompt on March 30, 2024. JumpCloud supports Duo universal prompt and recommends admins update to that method.
Use Multi-factor Authentication with JumpCloud to secure user access to your organization’s resources, and enable JumpCloud Duo Security MFA to give your users the ability to use push notifications as a factor when MFA guards the User Portal and SSO applications.
Read this guide to learn how to configure Duo Security for your org. Duo Security MFA gives your users the ability to authenticate to the User Portal and SSO applications with push notifications.
You can also secure user access to resources with JumpCloud Protect, TOTP MFA, and WebAuthn MFA. See MFA for Admins to learn more.
About Duo Security MFA
MFA requires more than one factor to authenticate to a resource. Duo Security MFA allows users to authenticate to their User Portal using push notifications, phone callbacks, and mobile passcodes provided by Duo. Duo Security MFA is available for User Portal login, SSO application login, and password changes from the User Portal.
JumpCloud’s Duo MFA integration does not include support for Duo System Agent Authentication for Windows, which is a different Duo component for use cases not related to MFA.
Duo Security MFA Considerations
Read and understand the following considerations prior to enabling Duo Security MFA.
- Users must be enrolled in Duo to use Duo as a MFA. JumpCloud doesn’t enroll users in Duo.
- The JumpCloud username must be the same as the Duo enrolled username. Alternatively, you can create an alias for the username in Duo to match the JumpCloud username. You can do this in the Duo Admin Panel below a user’s username.
- JumpCloud integrates with Duo but doesn’t manage Duo. You need an account in Duo with administrative access to create the required Duo application.
- To configure Duo to protect the JumpCloud User Portal, you need to use the Duo Web v4 SDK application.
- Third party integrations may not support Duo MFA.
- At least one MFA factor must always be enabled for the User Portal, and you can have more than one MFA factor enabled.
- TOTP MFA is enabled by default in MFA Configurations, but if Duo is turned on TOTP can then be turned off.
Preparing Your Users
When you enable Duo security for your organization, users will also need a Duo account to make use of it as an MFA factor. If multiple MFA factors are enabled, users will have the option to choose which MFA factor they want to use to authenticate to the User Portal. If Duo MFA fails to authenticate a user, the user can change to an alternative MFA factor.
Creating a Duo Application in Duo
To begin using Duo MFA, you first need to configure a Duo application in Duo for the JumpCloud User Portal.
To create a Duo application, you will need to be an administrator with a Duo account. Once that is complete, you can log into the Duo Admin Panel as an administrator and follow the instructions in the First Steps section of the Duo documentation.
- Duo Admin Panel: https://admin.duosecurity.com/
- Duo Universal Prompt documentation: https://duo.com/docs/duoweb#overview
Be sure to collect your Integration Key (Client ID), Secret Key (Client Secret), and API Hostname from the Applications area of the Duo Admin Panel.
Enabling Universal Prompt
Migrating to Universal Prompt for your Duo applications is a two-step process:
- Update the application to support the Universal Prompt with the Duo Web v4 SDK.
- Activate the Universal Prompt experience for your users.
If the admin does not migrate to the Universal Prompt experience, users will continue to see the traditional prompt.
- Complete Instructions: https://duo.com/docs/duoweb#overview
Protecting the User Portal with Duo MFA
To enable Duo Security for your organization:
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.
- Go to Security Management > MFA Configurations.
- Enable Duo Security by clicking Configure.
- Enter (paste) the following information that you collected from Duo:
- Integration Key (Client ID)
- Secret Key (Client Secret)
- API Hostname
- Click Save.
User Experience
When you configure the Duo Security MFA connection in JumpCloud and require TOTP for a user, this will be the user experience:
- Log in to the JumpCloud User Portal https://console.jumpcloud.com/login.
- Choose a multifactor authentication method.
- If choosing to use Duo, you’ll be challenged for Duo MFA after entering your password. Depending on your device and what has been configured for use with Duo MFA, possible options are:
- Duo Push (User will receive a prompt in the Duo app)
- Passcode (User will need to enter a passcode that’s texted via SMS)
- Call Phone (User will receive a phone call from Duo for authentication)
- Touch ID
- Use Security Key
- Send Text Message Passcode (User will receive a passcode as a text message)
- Universal Prompt will remember the last authentication method used and default to that method. Clicking Other Options will give the user other approved methods.
- (Limitation) Duo Universal Prompt does not return the user to the prompt screen in the case of an error, denial, or time-out. The user has to click the browser back button twice to return to the prompt screen.
- (Tip) If multiple MFA factors are enabled, you can choose your authentication method.
- After successfully authenticating through the chosen method, you should be logged in to your User Portal.
If a user account is set to Bypass in Duo, they’ll never see the Duo authentication options when signing in. Rather, they are automatically logged in to the User Portal via Duo. This could confuse users if they're expecting to see Duo’s authentication methods after entering their password.