How to configure passbolt to use Duo OTP

Passbolt Pro Edition since v2.5 and CE since 3.9 support Duo as a multi factor authentication option. Duo is a proprietary solution that is free for up to 10 users, and supports a bundle of authentication channels (such as HOTP, mobile push, phone calls, etc.) configurable by the Duo account administrator.

fig. Duo website

Security considerations

It is important to enable and setup at least one additional multi factor authentication provider in case Duo service becomes temporarily not available.

In order to use Duo authentication the user will need to interact with an iframe with content served by passbolt. Make sure your users have access to internet or do not enable this authentication provider if you are running passbolt on a private network that is not connected to internet.

Install Duo app

In order to use this authentication provider each of your users will need to install the Duo mobile app on their phone or tablet.

• Duo Mobile for Android on google play store.
• Duo Mobile for iOS on apple itunes.

fig. Duo mobile application

Get a Duo account

If you do not have a Duo account, first sign up at https://signup.duo.com/ Then log in to the Duo Admin panel at https://admin.duosecurity.com/login

Configure your Duo policies as required by your organization.

Add a passbolt application

In order for passbolt to enable onboarding and authentication of new users with Duo, you will need to create a passbolt application in Duo.

fig. Duo administration

When login in Duo Admin panel in the left menu, click on “Applications”, then click on “Protect an Application”. Find the “Web SDK” application and click on “Protect this Application”.

Note down the Integration Key, Secret Key, and API Hostname details, as you will need them to configure the integration.

Set the configuration in passbolt

You can configure Duo OTP using either the admin interface or environment variables. If multiple settings providers are used the settings in the admin interface will override the one in environment variables.

You will need to generate a random 40 character string to be used as salt, to help secure your integration.

Using admin user interface

Since v2.6 a user interface is provided for administrators to setup MFA providers. Click on “administration” in the top menu, then “multi factor authentication” on the left menu. You can then enable or disable the Duo provider by providing the user id and secret key that you gathered in the previous steps. Click “save settings” when you are done.

fig. MFA organization settings for Duo

Using environment variables

When you using docker to set these environment variable you can pass them as arguments, like other variables such as the database name, for example:

$ docker run --name passbolt \
             -p 80:80 \
             -p 443:443 \
             -e PASSBOLT_PLUGINS_MFA_DUO_HOST=api-26e9f2fce.duosecurity.com \
             -e etc.

Setting Duo for a given passbolt user account

Once you have a the Duo integration configured and Duo app installed on your mobile you can proceed with enabling Duo as provider for your user account. It is important you test this to make sure the integration works.

fig. Passbolt duo setup

When logged in passbolt go to your profile section and click on “Multi factor authentication” in the left sidebar. You should see the list of providers that are enabled for this instance.

Click on the Duo provider. Passbolt will then display an iframe that will help you setup your device if this is the first time you are using Duo with this instance. Follow the instructions provided by Duo and you should be all set.

The next time you try login from a new device, you will be presented with a Duo authentication prompt.

fig. Login prompt