> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how to configure Cisco Duo Security for MFA.

# Configure Cisco Duo Security for MFA

export const AuthCodeBlock = ({filename, icon, language, highlight, children}) => {
  const [displayText, setDisplayText] = useState(children);
  const [copyText, setCopyText] = useState(children);
  const wrapperRef = React.useRef(null);
  useEffect(() => {
    let unsubscribe = null;
    function init() {
      if (!window.autorun || !window.rootStore) {
        return;
      }
      unsubscribe = window.autorun(() => {
        let processedChildrenForDisplay = children;
        let processedChildrenForCopy = children;
        for (const [key, value] of window.rootStore.variableStore.values.entries()) {
          const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
          let displayValue = value;
          if (key === "{yourClientSecret}" && value !== "{yourClientSecret}") {
            displayValue = value.substring(0, 3) + "*****MASKED*****";
          }
          processedChildrenForDisplay = processedChildrenForDisplay.replaceAll(new RegExp(escapedKey, "g"), displayValue);
          processedChildrenForCopy = processedChildrenForCopy.replaceAll(new RegExp(escapedKey, "g"), value);
        }
        setDisplayText(processedChildrenForDisplay);
        setCopyText(processedChildrenForCopy);
      });
    }
    if (window.rootStore) {
      init();
    } else {
      window.addEventListener("adu:storeReady", init);
    }
    return () => {
      window.removeEventListener("adu:storeReady", init);
      unsubscribe?.();
    };
  }, [children]);
  useEffect(() => {
    if (!wrapperRef.current) return;
    const originalWriteText = navigator.clipboard.writeText.bind(navigator.clipboard);
    let isOverriding = false;
    const handleClick = e => {
      const button = e.target.closest('[data-testid="copy-code-button"]');
      if (!button || !wrapperRef.current.contains(button)) return;
      isOverriding = true;
      navigator.clipboard.writeText = text => {
        if (isOverriding) {
          isOverriding = false;
          navigator.clipboard.writeText = originalWriteText;
          return originalWriteText(copyText);
        }
        return originalWriteText(text);
      };
      setTimeout(() => {
        if (isOverriding) {
          isOverriding = false;
          navigator.clipboard.writeText = originalWriteText;
        }
      }, 100);
    };
    const wrapper = wrapperRef.current;
    wrapper.addEventListener('click', handleClick, true);
    return () => {
      wrapper.removeEventListener('click', handleClick, true);
      if (navigator.clipboard.writeText !== originalWriteText) {
        navigator.clipboard.writeText = originalWriteText;
      }
    };
  }, [copyText]);
  return <div ref={wrapperRef}>
      <CodeBlock filename={filename} icon={icon} language={language} lines highlight={highlight}>
        {displayText}
      </CodeBlock>
    </div>;
};

<Card title="Before you start">
  * Configure your Duo account. For more information, read [Getting Started on Duo Docs](https://duo.com/docs/getting-started#getting-started).
  * Create a [Duo Security Web SDK integration](https://duo.com/docs/duoweb) and record the **Integration Key**, **Secret Key,** and **API hostname** credentials.
</Card>

Cisco Duo is a multi-faceted authentication provider and can only be used on your Auth0 tenant if all other factors are disabled. Your Duo account can support push notifications, SMS, OTP, phone callback, and more based on your configuration.

You cannot also enable Duo if other factors are enabled. Duo is only available to users when it is the sole factor enabled.

The application will prompt the user for the second factor with Duo, listing the options you have enabled in your Duo account.

Your users can download Duo from [Google Play](https://play.google.com/store/apps/details?id=com.duosecurity.duomobile) or the [App Store](https://itunes.apple.com/us/app/duo-mobile/id422663827?mt=8) for use as a second factor.

## Configure Duo

To configure Duo Security, you must pass your Duo credentials to your application in the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip>.

1. Go to [Dashboard > Security > Multi-factor Auth > Duo Security](https://manage.auth0.com/#/security/mfa/duo) and enable it.
2. Enter the information in the fields to link your Duo account to Auth0.
3. Select **Save**.

## Use Actions to enable Duo

To enable Duo within an Action, pass `duo` as the `provider` parameter when you enable <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=multi-factor+authentication">multi-factor authentication</Tooltip>.

```js lines theme={null}
exports.onExecutePostLogin = async (event, api) => {
  api.multifactor.enable('duo', { allowRememberBrowser: false });
};
```

Duo does not provide an option for "Remember Me" behavior. The 30-day MFA session is hard-coded to remember the user after the initial login.

To force your users to log in with Duo every time, create a rule with `allowRememberBrowser: false`.

## Actions template for Duo

This template provides an example and starting point to trigger multi-factor authentication with [Duo Security](http://duosecurity.com/) when a condition is met.

Upon first login, the user can enroll the device.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  You need to create two integrations in Duo Security: one of type **Web SDK** and one of type **Admin SDK**.
</Callout>

export const codeExample = `exports.onExecutePostLogin = async (event, api) => {

	const CLIENTS_WITH_MFA = ['{yourClientId}'];
	// run only for the specified clients
	if (CLIENTS_WITH_MFA.includes(event.client.client_id)) {

		// uncomment the following if clause in case you want to request a second factor only from user's that have user_metadata.use_mfa === true
		//if (event.user.user_metadata && event.user.user_metadata.use_mfa){

		// optional, defaults to true. Set to false to force DuoSecurity every time.
		// See https://auth0.com/docs/multifactor-authentication/custom#change-the-frequency-of-authentication-requests for details
		api.multifactor.enable('duo', {
			providerOptions.ikey: configuration.DUO_IKEY,
			providerOptions.skey: configuration.DUO_SKEY,
			providerOptions.host: configuration.DUO_HOST,
			allowRememberBrowser: false
		})

		// optional. Use some attribute of the profile as the username in DuoSecurity. This is also useful if you already have your users enrolled in Duo.
		// username: event.user.nickname
	};
	// }

};`;

<AuthCodeBlock children={codeExample} language="js" />

## Current limitations

* You cannot use [Auth0 MFA Enrollment Tickets](/docs/secure/multi-factor-authentication/multi-factor-authentication-developer-resources/create-custom-enrollment-tickets) to enroll users with Duo. Onboard those users from Duo itself.
* If you use <Tooltip tip="Universal Login: Your application redirects to Universal Login, hosted on Auth0's Authorization Server, to verify a user's identity." cta="View Glossary" href="/docs/glossary?term=Universal+Login">Universal Login</Tooltip>, you must enable Duo in an Action with `provider` set to `duo` as described previously. You can conditionally use Duo or the built-in Auth0 provider for specific applications.