Duo Multi-Factor Authentication with WSO2 Identity Server

Multi-factor authentication(MFA) is a process that combines two or more independent categories of credentials that are related with the user, for the purpose of authenticating the user. When MFA is enforced, the user is prompted for one or more additional forms of identification during the sign-in process.

Ideally, these independent factors should be a combination of the following areas.

1. Something user knows ( ex : password, answer to a security question)
2. Something user has (ex: a code sent to the user’s mobile phone)
3. Something user is (ex: a fingerprint, facial recognition)

There are multiple negative sides of using only a password for authentication. The traditional usernames and passwords are vulnerable to be stolen, and for brute force attacks. But when MFA is enforced, is adds an additional layer of security because now the user has to verify his identity in a different manner as well. Therefore, organizations are focusing on enforcing MFA to their authentication systems while providing a smoother experience to the user.

In this article, I am going to explain how to use Duo Security to enforce multi-factor authentication with WSO2 Identity Server. Duo Security is an mobile based authentication solution that can be used with many identity providers as a secondary authentication when two-factor or multi-factor authentication is needed (two-factor authentication is a specific type of MFA where the user identity is verified only using two factors). WSO2 Identity Server can be easily configured to use Duo authenticator as a second factor for authentication. Let’s see how we can do that.

As the first step, we have to configure the Duo security app. For that follow these instructions.

1. Go to https://duo.com and register for a free account.
2. After you login from the newly created account, click on Applications from the side panel. The you will see the Applications page. Click on Protect an Application.

3. Search for Auth API from the list and click on Protect.

4. Now you will get an Integration Key and a Secret Key which can be used to access the Duo Security APIs.

Now we are done with the configurations in the Duo side. Let’t see how we can configure WSO2 Identity Server with Duo authenticator.

1. Download the latest WSO2 Identity Server from here if you haven’t already done so.
2. Now we have to deploy the Duo Security artifacts in WSO2 Identity Server. For that, go to WSO2 Connector Store and download the Authenticator and Artifacts.
3. Place org.wso2.carbon.extension.identity.authenticator.duo.connector-1.0.11.jar inside <IS_HOME>/repository/components/dropins.
4. Find the duoauthenticationendpoint.war inside other artifacts and place in inside <IS_HOME>/repository/deployment/server/webapps.
5. Download okio-1.9.0.jar from here and place it in <IS_HOME>/repository/components/lib.
6. Run WSO2 Identity Server and login to the management console. Follow this if you need more instructions.
7. Click on Add under Identity Providers in the left side panel.
8. Provide a suitable name for Identity Provider Name and go to Federated Authenticators -> Duo Configuration.
9. Provide the Integration key, Secret key, and the API Hostname that you obtained from Duo here. Tick both Enable and Default to enable Duo autheticator by default. (Leave optional Admin Secret Key and Admin Integration Key blank). And click on Register.

Now we are done with the Identity Provider configurations. To test the authentication flow with Duo as a second factor authenticator, let’s configure a sample Service Provider and configure Duo as the second factor authentication mechanism when login to the sample Service Provider.

For this, you can deploy the Travelocity sample webapp by following the documentation on deploying the sample web application. This document guides you through configuring Travelocity service provider in WSO2 IS, and deploying Travelocity web app on Tomcat.

After the basic Service Provider configurations, we have to setup Duo as the second factor authentication for Travelocity. To do that, navigate to Main > Identity > Service Providers in WSO2 IS management console and choose edit under Travelocity Service Provider. Navigate to Local & Outbound Authentication Configuration and select Advanced Configuration as the authentication type.

Here you will have to add two authentication steps. Click on Add Authentication Step to and select Basic under Local Authenticators and click on Add Authenticator. This will add the basic password based authentication step as the first step in multi factor authentication.

Click on Add Authentication Step again to add a second step. Under Federated Authenticators you will find Duo Authenticator that you configured in step 7 and 8. Select it as the second step by clicking on Add Authenticator. Click on update to save the configurations.

Now we have successfully configured Duo as the second factor authentication for Travelocity sample service provider, and deployed the Travelocity web application on a web container like Tomcat. We can now test how Duo MFA works by trying to login to Travelocity.

To do that, first navigate to the Travelocity web app via a web browser (If you deployed Travelocity in Tomcat server, navigate to http://<TOMCAT_HOST>:<TOMCAT_PORT>/travelocity.com/index.jsp). Then select “Click here to login with SAML (Redirect binding) from WSO2 Identity Server”.

Since we configured basic authentication as the first step, you will be prompted to provide username and password. Provide correct username and password and continue.

Now as the second authentication step, you should authenticate with Duo. Since this is the first time you try to login with Duo authentication enabled, you will be prompted with a series of steps to setup Duo authentication with your mobile. To initial the setup, click on Start Setup.

Note: WSO2 Identity Server also supports provisioning its users to Duo, and validating users’ mobile numbers with the ones saved in Duo Security. I will explain how to configure them in a coming article.

After successful completion of initial setup, you will see the following prompt where Duo authenticator requests you to authenticate yourself via Duo Push or Passcode options.

Duo Push will push a login request to your mobile device. Passcode option will send a code as a SMS to your mobile device. Either way, you should have the mobile phone in your possession to successfully authenticate yourself to the system.

Remember in the beginning of this article I talked about three types independent factors that should be used in combination when MFA is enforced? This article described an approach to cover two of those types during authentication. Using basic authentication covers the knowledge factor — something user knows. Using Duo as the second authentication covers the possession factor — something user has. In combinations, these two provide a much secure authentication than using only one of them.

In this article, I tried to give you a brief idea about multi-factor authentication, and how WSO2 Identity Server can be configured to use Duo security as a second factor for authentication. Hope you enjoyed reading..!