0
Your Cart
No products in the cart.

Connect and protect your employees, business partners and customers with identity-powered security.
image of a person typing on a laptop
Get the security features your business needs with a variety of plans at several price points.
Desktop and mobile access protection with basic reporting and secure single sign-on.
All Duo Small/Medium Business features, plus adaptive access policies, greater device visibility, plus advanced device insights and remote access solutions.
FedRamp authorized, end-to-end FIPS compliant, streamlined solutions.
Meet compliance objectives with our friction-free MFA.
Duo provides secure access to any application with a broad range of capabilities.
Verify the identities of all users with MFA.
Provide secure access to on-premise applications.
Ensure all devices meet security standards.
Provide secure access to any app from a single dashboard.
Block or grant access based on users' role, location, and more.
Duo’s security is customizable, easy to set up and simple to use, making it the perfect solution for a wide range of industries.
image of person on a mobile device
Duo provides secure access for a variety of industries, projects, and companies.









Whether you're considering a big-picture security strategy like zero trust, or you want to address a specific threat like phishing attacks, Duo has you covered.
This set of tools and policy controls ensures only the right users have access to applications and resources and under the right conditions.
A zero trust model establishes trust in users and devices through authentication and continuous monitoring.
Duo's comprehensive access security sets the stage for user-friendly, password-free multi-factor authentication.
Secure your workforce against phishing attacks with strong multi-factor authentication, device trust and more.
Duo’s dynamic solution detects and responds to potential threat signals to secure trusted users and frustrate attackers.
With Duo, you can have both, in a platform that integrates across your entire ecosystem. Every user, every device, no exceptions.
image of two people on a mobile device
Duo delivers peace of mind with strong security and increased productivity at an unmatched value.
Reduce friction and automate processes so that end-users and administrators can focus their time on moving your business forward.
Duo continues to pioneer MFA-approaches that keep your business a step ahead of the next threat.
Our Risk-Based Authentication reduces the burden placed on users so they can verify their identity quickly and get back to the task at hand.
Close the gap on your security perimeter and bring every user and every device under one secure roof.
Duo provides secure access for a variety of industries, projects, and companies.
Click through our instant demos to explore Duo features.
Duo Security is part of Cisco Security — find out how we make global security resilience easier than ever!
Was this page helpful? Let us know how we can make it better.
Add Duo's strong two-factor authentication to your web application using a new OIDC-compliant authentication protocol to perform two-factor authentication.
Implementing Duo two-factor authentication into your site involves splitting your login handler into two parts. You should be familiar with your web application's programming language and authentication process.
For example, a typical single factor login process looks something like this:
After adding Duo authentication it will look more like this:
Duo Web SDKs are available on GitHub.
To use a different language not available as an SDK or to create your Duo integration without using one of our SDKs, see the OIDC Auth API. Please also contact Duo Support to let us know which additional languages you'd like supported with a Duo Web SDK.
The new Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.
Your complete migration from traditional Duo prompt to Universal Prompt for your Duo Web application is a three-step process:
Update the application to support the Universal Prompt by using the Duo Web SDK v4 with OIDC support.
Authenticate with Duo 2FA using the updated application so that Duo makes the Universal Prompt activation setting available in the Admin Panel.
From the Duo Admin Panel, enable the Universal Prompt experience for users of that application after the application has been updated with Universal Prompt support.
If you're creating a Duo Web application for the first time, building it with the Duo Web v4 SDK ensures it supports the Universal Prompt.
Duo Prompt UI Support per Delivery Method
The "Universal Prompt" section on the details page of your new Duo Web SDK application shows the status as "Ready to activate", with these activation control options:
Show traditional prompt: (Default) Your users experience Duo's traditional prompt when logging in to this application.
Show new Universal Prompt: Your users experience the Universal Prompt when logging in to this application.
The "Universal Prompt" section on the details page of your existing Duo Web v2 iframe application will show the status as "Updated required" with a link to update instructions if an application software update is available.
Once you update your Duo integration to use Web SDK v4, and a user authenticates to that existing application via the frameless Duo v4 SDK, the "Universal Prompt" section of the Duo Web application page reflects a status change to "Ready to activate", with these activation control options:
Show traditional prompt: (Default) Your users experience Duo's traditional prompt via an iframe when logging in to this application.
Show new Universal Prompt: Your users experience the Universal Prompt via redirect when logging in to this application.
In addition, the "Integration key" and "Secret key" property labels for the application update to "Client ID" and "Client secret" respectively. The values for these properties remain the same.
If you followed a third-party software vendor's Duo configuration instructions to create a Duo Web SDK application for use with their product, please contact that software vendor that to determine availability of the necessary update for frameless Universal Prompt support.
Activation of the Universal Prompt is a per-application change. Activating it for one application does not change the login experience for your other Duo applications.
Enable the Universal Prompt experience by selecting Show new Universal Prompt, and then scrolling to the bottom of the page to click Save.
Once you activate the Universal Prompt, the application's Universal Prompt status shows "Activation complete" here and on the Universal Prompt Update Progress report.
Should you ever want to roll back to the traditional prompt, you can return to this setting and change it back to Show traditional prompt.
Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications that will have Universal Prompt support. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.
Watch the Duo Blog for future updates about the Duo Universal Prompt.
See the Universal Prompt Update Guide for an overview of the new Universal Prompt and its advantages over the previous Web SDK.
The Web SDK 4 Universal Prompt Web SDK is a brand new experience with a substantially different integration flow from the previous Web SDK 2.
Web SDK 4 has some key technical differences from Web SDK 2:
If you already have an existing Web SDK application, you do not need to create a new one to migrate it to Web SDK 4. You may reuse that existing integration with your Web SDK v4 updated application.
Note: After upgrading your Application to use Web SDK 4, the Duo Prompt will have identical appearance and functionality as the Web SDK 2 prompt until you activate the new Universal Prompt for that application.
Review a step-by-step v2 to v4 example migration using the Python Universal Web SDK on GitHub.
To begin development with a new Duo Web SDK integration:
Sign up for a Duo account.
Log in to the Duo Admin Panel and navigate to Applications.
Click Protect an Application and locate the 2FA-only entry for Web SDK in the applications list. Click Protect to the far-right to configure the application and get your Client ID, Client secret, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.


Previously, the Client ID was called the "Integration key" and the Client secret was called the "Secret key".
Use NTP to ensure that your server's time is correct.
Connectivity Requirements

This application communicates with Duo's service on SSL TCP port 443.

Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337.

Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.


This application communicates with Duo's service on SSL TCP port 443.
Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337.
Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.
Client libraries are currently offered for Python, Java, Go, and PHP. To integrate with another language, please see the Duo OIDC-based API documentation.
Issue the following command:
Refer to the Duo Universal Prompt Python sample project for a complete example of how to use the SDK.
View the Duo Universal Prompt Java example project for a complete example of how to use the SDK.
Add the following to the <dependencies> section of your pom.xml:
Add the following to the dependencies section of your build.gradle:
Find the latest jar on the duo_universal_java GitHub releases page.
To use the SDK in your existing development environment, install it using Go Modules:
Refer to the Duo Universal Prompt Go example project for a complete example of how to use the SDK.
Issue the following command:
Refer to the Duo Universal Prompt PHP example project for a complete example of how to use the SDK.
To use this client in your existing developing environment, install it from NPM:
Refer to the Duo Universal Prompt Node.js example project for a complete example of how to use the SDK.
Include this client in your .NET project from the .NET CLI with:
Or using the NuGet Package Manager with:
Refer to the Duo Universal Prompt C# example project for a complete example of how to use the SDK.
After you perform primary authentication (e.g. look up a user's username and password in your database), you should create a Client() object which initializes the secondary authentication process.
Client() takes your Duo Web application's Client ID (or Integration key) as client_id, Client secret (or Secret key) as client_secret, and API hostname as api_host information from the Duo Admin Panel, as well as a redirect uri which Duo will use to redirect back to your application after authentication.
The redirect URI will be a separate endpoint on your service that listens for the Duo Prompt redirection callback. E.g. if your login form is at https://example.com:8080/login, then your redirect uri could be https://example.com:8080/duo-callback. This URI does not need to be publicly accessible by Duo, it will only be accessed from the end-user’s web browser. Must be a well-formed with a valid HTTPS URL and port, using a hostname (not an IP address), and a maximum length of 1024 characters.
The security of your Duo application is tied to the security of your client secret (secret key). Treat these pieces of data like a password. They should be stored in a secure manner with limited access, whether that is in a database, a file on disk, or another storage mechanism. Always transfer them via secure channels, and do not send them over unencrypted email, enter them into chat channels, or include them in other communications with Duo.
A call to health_check() determines if Duo’s servers are accessible and available to accept the 2FA request. If Duo’s servers are inaccessible for any reason (e.g. networking issues, services outage), this method raises an error, and your application can decide how to proceed (i.e. to "Fail Open" and allow the login without completing Duo authentication, or to "Fail Closed" and prohibit the login completely).
generate_state() generates a session identifier. This identifier will be passed to Duo, and should also be stored locally in your code use later to validate Duo's responses. The validation will occur in a different endpoint / web request, so you should store the state in your web framework’s session.
create_auth_url() takes the user’s username and the previously generated state and returns a URL to a Duo-hosted endpoint.
Redirect the client web browser to the previously created URI. This is where the end-user is shown the Duo Prompt to complete their authentication. The redirect code is specific to your web framework.
After Duo successfully verifies the user — authentication approval via phone call, SMS passcode, Duo Push, etc. or permitted access with bypass of interactive authentication after Duo policy evaluation — their browser is then redirected to the redirect_uri specified earlier in the Client() object. This URI should be an endpoint in your service which completes the remainder of the end-user’s login.
This request includes two GET parameters in the SDK: state and duo_code.
The state parameter value received from the redirect should be validated against the previously saved state value. If they don't match, this indicates a security issue and the login attempt should be aborted.
exchange_authorization_code_for_2fa_result() takes the code parameter from the previous step, as well as the username. This method calls Duo’s service to have your server validate that the user successfully authenticated with Duo.
This method raises a DuoException if the user fails Duo authentication for any reason. If it does not raise an error, then the user has successfully completed Duo authentication. The returned token object contains metadata about the authentication.

Troubleshooting


Need some help? Take a look at our Web SDK Knowledge Base articles or Community discussions. For further assistance, contact Support.
© 2024 Duo

source