Duo MFA Service for Non-Web Integrations

See also: CalNet 2-Step for information about using Duo MFA with CalNet CAS-protected web sites.

Background

We are running a limited deployment of Duo Security's Multifactor Authentication (MFA) service for campus IT staff for non-web integrations. To help manage user administration, we are asking for two designated admins per IT staff group. These admins will be responsible for enrolling their IT staff and administering their integration with Duo services.

Getting started

Please provide the following in a note to calnet-mfa@lists.berkeley.edu:

  • names and SMS-capable phone numbers for the two new admins (one primary and one backup) for your group
  • proposed group name in the Duo Admin app

Recommendations for admins

  • Create and use a Duo group to keep your users and Duo integrations (applications) together for ease of applying policies, etc.
  • Use the Bulk Enroll Users feature to allow your users to easily self-enroll
  • Since there is a cost for telephony-based Duo authentication, i.e., authentication via phone calls and SMS messages, please install the Duo app for your users where possible and have them typically use Duo Push, with Duo Mobile-generated passcodes as a backup authentication option.
  • Optionally, hardware tokens such as Yubikeys can provide additional security using OTPs or U2F, depending on the application.

Duo documentation links

For admins:

For end-users:

Duo Guide

Contributed integration examples

Feel free to send us any example Duo integration configurations or other Duo tips and advice that you would like to share with the campus.

Contact us

For general questions, and for requests for access to the service, write to calnet-mfa@lists.berkeley.edu