| See also: CalNet 2-Step for information about using Duo MFA with CalNet CAS-protected web sites. |
Background
We are running a limited deployment of Duo Security's Multifactor Authentication (MFA) service for campus IT staff for non-web integrations. To help manage user administration, we are asking for two designated admins per IT staff group. These admins will be responsible for enrolling their IT staff and administering their integration with Duo services.
Getting started
Please provide the following in a note to calnet-mfa@lists.berkeley.edu:
- names and SMS-capable phone numbers for the two new admins (one primary and one backup) for your group
- proposed group name in the Duo Admin app
Recommendations for admins
- Create and use a Duo group to keep your users and Duo integrations (applications) together for ease of applying policies, etc.
- Use the Bulk Enroll Users feature to allow your users to easily self-enroll
- Since there is a cost for telephony-based Duo authentication, i.e., authentication via SMS messages, please install the Duo app for your users where possible and have them typically use Duo Push, with Duo Mobile-generated passcodes as a backup authentication option.
- Optionally, hardware tokens such as Yubikeys can provide additional security using OTPs or U2F, depending on the application.
Duo documentation links
For admins:
For end-users:
Contributed integration examples
Feel free to send us any example Duo integration configurations or other Duo tips and advice that you would like to share with the campus.
- Finding the Duo Authentication Proxy reference doc: this one is a bit hidden on the Duo doc site; see Authentication Proxy - Configuration Reference
Contact us
For general questions, and for requests for access to the service, write to calnet-mfa@lists.berkeley.edu