Introduction
LogonBox supports user authentication using the service from Duo Security. This method of authentication works along with an app on a mobile phone to provide multi-factor authentication.
This article explains how to configure your LogonBox to use this method.
1. Configuring the Authentication Scheme
It is important to note that you can apply different authentication flows for six different types of logon: User Logon, Password Reset, Client, Account Unlock, SSO and Admin Logon.
Each of these can have their own default authentication flow configured, but for this article we shall alter Password Reset.
Navigate to Authentication->Schemes->Password Reset. Note that by default this is configured with a yellow Username module and a green Security Questions one.
Duo is a green module, so it must exist along with either a yellow or blue module, which we already have here.
Let’s keep the existing Username and Security Questions modules and add the Duo module by clicking the plus icon next to Duo to add it into the authentication flow.
This module can be placed anywhere after the Username one, so let's place it after Security Questions and click Save at the bottom.
2. Creating a Duo Security account
You must now configure LogonBox to allow it to connect to Duo Security to check the authentication. Click on the edit icon inside the Duo module to see these settings.
You will need an Integration Key, a Secret Key and an API Hostname which you can get from Duo.
On this screen, click on the provided link to visit the Duo Security signup page.
Enter all of the information you are prompted for and click Create My Account.
Create a password and click Continue.
At this point, go to the App Store for your phone and find and install the Duo Mobile app, then launch it.
Click the Add Account button and accept any permissions the app may ask for.
The app should have now activated the camera, point the camera at the Duo account creation web page, which should have a QR code visible.
The account should be configured and you can click Continue on the web page to proceed.
Finally, set a backup number and click Finish.
Now, as you have the app open, click Duo Push which will cause your app to prompt for authorisation.
Click on Approve to log in.
3. Setting up the Duo application and completing configuration
After authorising in the last step above, you should now be logged on to the Duo Security web site. We now need to configure LogonBox as an application in Duo.
If you are not at this page already, navigate to Applications->Protect an Application and search for Web SDK.
Click Protect this Application.
You are now give the 3 items of information you need to configure your LogonBox, and Integration Key, a Secret Key and an API Hostname.
Make a note of these and click Save Changes.
Now go back to your LogonBox and edit the Duo Authentication module again. Enter these above values in the relevant places and click Apply.
4. User authentication setup
The first time a user attempts to authenticate with Duo, they will be prompted to set up their account as soon as they get to the Duo step of the Authentication scheme.
The user should be prompted with this screen, click Start Setup.
Select the type of device you will be using to authenticate with (in this case a mobile phone) and click Continue.
Enter your telephone number and confirm it then click Continue.
Select the type of phone and click Continue.
The user is now prompted to install the app, which we have already done here. Click I have Duo Mobile installed when ready.
As before, in the Duo Mobile app, add a new account and scan in the QR code.
Duo is now activated for this user, click Continue.
A final page appears to confirm some settings. Here we chose the option to automatically send this device a Duo Push.
Click Continue to Login.
Click Send Me a Push, then Authorise the request that appears on your mobile device.
5. Using the Duo authenticator as a module on its own
The above example used Duo along with another form of authentication because Duo defaults to allow users to Enroll themselves.
If you had just username + Duo, this means that anyone could enroll that user into Duo and then proceed to reset their password and is therefore a security risk.
If you wish to use just the Duo authenticator on its own, it is recommended to turn off enrollment in your Duo configuration.
To do this on the Duo web site, navigate to Policies and edit either the Global Policy or application specific policy and change the New User policy from Require Enrollment to Deny Access.
You would then have to add your users manually through the Duo site.
6. Testing
As we have configured this scheme for Password Reset, to test this click on the Reset Password link on the main LogonBox portal. We will show the usual authentication flow after a user has already set up their Duo account.
Enter the username of the user to be reset and click Next.
They will then be prompted for the Duo auth. Click Send me a Push.
Approve the request that appears on the mobile app.
The authentication continues with the other modules that may be configured (in this case Security Questions) after which the user is prompted to reset their password.
