DuoSecurity

From WHMCS Documentation

Revision as of 14:59, 15 September 2016 by John (talk | contribs)

<<<<<< Back to Security Modules

What is DuoSecurity

Duo Security enables your users to secure their logins and transactions using their smartphones. The Duo Mobile smartphone application is free and available on all major smartphone platforms, and lets users easily generate passcodes without the cost and hassle of hardware tokens. iPhone, Android, BlackBerry, and Windows Phone users can use Duo Push which “pushes” login or transaction details to the phone, allowing for immediate, one-tap approval.

Older devices like cellphones and landlines are also fully supported. Duo can send passcodes via text message, or place a phone call - users just press a button on their keypad to authenticate. DuoSecurity will prompt you for a phone number and option to receive a text or phone call. After the text or phone call is received, input the authentication code to proceed.

A second optional page at initial login will prompt to download the DuoSecurity mobile application which performs push notifications allowing you to restrict or allow access under your user from your phone.

You will require your own Duo Security account, they are available free of charge and allow up to 10 users to authenticate: Signup Here.

Configuration

Protect an Application
Protect Auth API

First Login to your account on the DuoSecurity website:

  1. Click Applications in the left sidebar
  2. Click Protect an Application
  3. Locate the Auth API option
  4. Beneath it click Protect this Application
  5. Take note of following values:
  • Integration Key
  • Secret Key
  • API hostname

Now login to your WHMCS Admin area as a Full Administrator user:

Complete configuration in WHMCS
  1. Navigate to Setup > Staff Management > Two-Factor Authentication
  2. Click the "Activate" button next to Duo Security
  3. Enter the Integration Key, Secret Key and API Hostname you noted down earlier into the corresponding fields.
  4. Click Save Changes



Common Errors

The second factor you supplied was incorrect. Please try again

Seeing this error when activating the DuoSecurity method for the first time means that the code being entered does not match that which DuoSecurity expects. This is caused by the time on your server not matching DuoSecurity's clocks

You can see the time in the top-right corner of your WHMCS admin area, it's taken directly from your server's PHP configuration. So you must ensure the server time is synced exactly with UTC. For example if the server time is 00:01 and the time at DuoSecurity is 00:00 you will see this error. Syncing the server with NTP to ensure the time is exactly right will resolve this.

Different time-zones are taken into account, so time-zone differences won't cause a problem.