Guide
🇬🇧 UK Focus 📅 Loading…
Security Beginner ⏱ 8 min

How to Set Up MFA with Duo Security

Duo Security is the fastest way to add MFA to any system — including legacy apps and VPNs that don't natively support modern authentication. This guide covers the essential deployment steps.

Covers: duo

Why Duo?

Duo Security excels in hybrid environments where you have a mix of cloud and on-premises systems. If you're fully Microsoft, Entra ID MFA may be sufficient. But if you have a VPN, legacy web apps, or on-premises systems, Duo provides a unified MFA layer across all of them.

Setting Up Duo for Your VPN

VPN is typically the highest-priority target for MFA — it's the most exposed system in most organisations.

  1. Sign up at duo.com and create your account
  2. In the Duo Admin Panel: Applications → Protect an Application → search for your VPN type
  3. Follow the VPN-specific integration guide (Cisco AnyConnect, Palo Alto GlobalProtect, etc.)
  4. Deploy the Duo Authentication Proxy on a Windows Server if your VPN uses RADIUS
  5. Test with a pilot user before rolling out to all staff
  6. Enable Number Matching in Duo Admin Panel → Policies → Edit Global Policy
💡
  • Number matching shows a code on the login screen that the user must match in the Duo Push notification — this prevents MFA fatigue attacks.

Duo Device Health Check

Duo can check the health of the device before allowing access — blocking logins from unmanaged or unhealthy machines.

  1. Enable Duo Device Health in Admin Panel → Policies
  2. Require: OS is up to date, disk encryption enabled, screen lock enabled
  3. Deploy Duo Device Health app to managed endpoints via Intune/SCCM
  4. Set enforcement to 'Monitor' first — review the impact before blocking

Common Pitfalls

💡
  • Always create bypass codes for users who lose their phone — have a helpdesk process ready from day one
  • Don't enforce Duo on shared accounts — these need a different MFA approach (hardware tokens)
  • Export Duo authentication logs to your SIEM for anomaly detection and compliance evidence
  • Test your RADIUS/proxy configuration thoroughly — a misconfiguration can lock out all VPN users

If you are using the Duo Authentication Proxy, it becomes a critical infrastructure component. Deploy it on a dedicated VM with monitoring and redundancy.