Multi-factor Authentication

Why Two-factor authentication?

Two-factor authentication increases the security of online communications by making it harder for a hacker to masquerade as an authorized user. A hacker may be able to steal or guess the user name and password but without verification from the user’s device will not be able to use the login information.


Google Authenticator & Authy

Two-factor authentication for customers. These are priced for much higher volumes of users (cents per user instead of dollars) and allow for more custom integrations.


DUO Security

Duo Security is a vendor of cloud-based two-factor authentication services. Duo’s authentication factors are the user name and password (something the user knows) and a device (something the user has).


Comparison with alternates

Duo and Authy serve two very different audiences, Employees for Duo vs. Customers for Authy, so it’ll usually depend on the use case in hand. Google Authenticator provides similar features as Authy.


Detailed comparison: DUO vs Google Auth

Detailed comparison: DUO vs Authy


Why Duo Security?

  • — Easy learning curve for end users
  • — Easy to scale
  • — Cost effective
  • — Provides various options for the second factor

> One-tap authentication using Duo’s mobile app.

> One-time passcodes (OTP) generated by Duo’s mobile app.

> One-time passcodes delivered to any SMS-enabled phone.

> Phone callback to any phone.

> One-time passcodes generated by an OAuth-compliant hardware token.

  • — Work well with most VPNs
  • — Good administrator tools & customer support



Integrating DUO with a web application

Intended Login behaviour

  1. Primary authentication
  2. Web Application or Service connection established to Duo Security over TCP port 443
  3. Secondary authentication via Duo Security’s service
  4. Web Application or Service receives authentication response
  5. Web Application or Service session logged in


DUO’s git repo provides SDKs in various languages like pearl, python, golang, swift, nodejs, java ,etc. These SDKs contains the APIs implementations to authenticate users via DUO cloud platform.



Steps to integrate DUO with a JAVA Web Application


— steps at Duo cloud platform

  1. Signup here  . Free trail account option is also available.
  2. Optional: Activate DUO Mobile for receiving push-notifications for 2-factor auth for Admin account login.
  3. Set a backup mobile number.
  4. Log in to the Duo Admin Panel and navigate to Applications.
  5. Click Protect an Application and locate Web SDK in the applications list. Click Protect this Application to note the integration key (ikey), secret key (skey), and API hostname. These will used in the JAVA application for 2-factor auth.


— steps at java side application

  1. Download DuoWeb JAR from here.
  2. In JAVA app, add the downloaded JAR to build path and deployment assembly.
  3. Generate akey. Akey is a string that is generated by admin and keep secret from Duo. It should be at least 40 characters long and stored alongside integration key (ikey) and secret key (skey) in a configuration file in the java application.


— steps 9 to 11 can be skipped by using an official java demo app which uses 2-factor auth. (Source)

  1. In login servlet, after primary authentication, call sign_request() which initializes the secondary authentication process. sign_request() takes ikey and skey, the akey generated, and the username of the user who just successfully completed primary authentication.

–If users can change their usernames, use something that won’t change, like an email address or primary key.

  1. After generating the signed request, redirect to second auth page that will contain the Duo IFRAME used for secondary authentication.

Set IFRAME data-host attribute to API hostname generated at DUO admin portal

Set IFRAME data-sig-request  attribute to generated signed request.

Duo’s JavaScript handles the setup and communication between the IFRAME, the user, and the server. First, include a short snippet of JavaScript in the page, found here.

  1. After the user is successfully verified by Duo the IFRAME will generate a signed response called sig_response and POST it back to the post_action URL mentioned in script. Then call verify_response() to verify that the signed response is legitimate.

–Signed response is an assertion that the user completed both primary and secondary authentication. verify_response() takes integration key (ikey), secret key (skey), akey, and the signed response as inputs. It will return the username of the authenticated user if the response is valid, or null if the response is invalid.


— enrolling users who can login via DUO MFA

Users need to be enrolled on DUO cloud platform, before they can login via DUO auth in our web app. Ideally, existing users from app database can be imported to DUO by uploading a CSV file (details). For now we can manually add a sample user to test 2-factor auth at our app end.


–steps to add sample user for DUO MFA

  1. In DUO Admin portal, navigate to Users, click Add User and enter a username and email. Save changes.
  2. Click “Send Enrollment Email”
  3. Click the link received in enrollment email to set up 2FA.
  4. Mobile number is mandatory for 2FA. Push notifications via DUO Mobile app are optional.
  5. Until users have successfully enrolled, they are listed in “Pending Enrollment” section in DUO Admin portal.

Once enrolled, this “username” can be used in step 9 above for calling sign_request().



For more detailed procedure DUO official documentation can be referred.