DuoSecurity
< Back to Two-Factor Authentication
Contents
What is Duo Security
Duo Security allows your users to secure their logins and transactions using their smartphones.
The Duo Mobile app is free and available on all major smartphone platforms, and lets users easily generate passcodes without the cost and hassle of hardware tokens.
iPhone, Android, BlackBerry, and Windows Phone users can use Duo Push which “pushes” login or transaction details to the phone, allowing for immediate, one-tap approval.
Why Duo Security?
Duo works by adding a second identity verification, by requiring two factors: First, your password (the thing you know) then something unique (that you have) like your phone.
By enabling Duo Security, you add another layer of security that prevents attackers from being able to login using only your password.
You will require your own Duo Security account. A 'Duo MFA' or higher level account is required to access the Duo API: Click here to signup.
Configuring Duo Security
To configure Duo Security in WHMCS, follow the steps below:
- Begin by logging in to your account at Duo Security
- Click Applications in the left sidebar
- Click Protect an Application
- Locate the Auth API option
- If you are missing this option from your Duo account, you will need to contact Duo to have them activate this for your account
- Beneath it click Protect this Application
- Take note of following values:
- Integration Key
- Secret Key
- API hostname
Now login to your WHMCS Admin area as a Full Administrator user:
- Navigate to Setup > Staff Management > Two-Factor Authentication
- Click the "Activate" button next to Duo Security
- To enable Duo Security as a two-factor option for staff, tick the checkbox labelled Enable for Staff
- To enable Duo Security for customers, tick the checkbox labelled Enable for Clients
- Enter the Integration Key, Secret Key and API Hostname you noted down previously where requested
- Click Save Changes
Enabling Duo Security as an Admin User
To enable Duo Security for your admin user account, begin by configuring Duo Security as instructed above.
Once complete, navigate to the My Account page within the WHMCS admin area and from there you will see an option to enable Two-Factor Authentication.
You will then be guided through the setup process.
On all future login attempts, you will be asked to complete the Two-Factor Authentication process.
Enabling Duo Security as a Client
Login to the WHMCS client area and then navigate to My Account > Security Settings.
From there, click the Enable Two-Factor Authentication button.
You will then be guided through the setup process.
On all future login attempts, you will be asked to complete the Two-Factor Authentication process.
Troubleshooting
The second factor you supplied was incorrect. Please try again
Seeing this error when activating the DuoSecurity method for the first time means that the code being entered does not match that which DuoSecurity expects. This is caused by the time on your server not matching DuoSecurity's clocks
You can see the time in the top-right corner of your WHMCS admin area, it's taken directly from your server's PHP configuration. So you must ensure the server time is synced exactly with UTC. For example if the server time is 00:01 and the time at DuoSecurity is 00:00 you will see this error. Syncing the server with NTP to ensure the time is exactly right will resolve this.
Different time-zones are taken into account, so time-zone differences won't cause a problem.