You can configure Duo Security authentication in Workspace ONE Access to be the second source of authentication when users access their resources in Workspace ONE.

To use Duo Security authentication with Workspace ONE Access, you must have an account in Duo. To prepare Workspace ONE Access to work with Duo two-factor authentication, you log in to your Duo account and add Workspace ONE Access as a new Web SDK application.

When Workspace ONE Access is added as a Web SDK application in Duo, Duo generates information that is required to enable Duo authentication in the Workspace ONE Access console. Copy the integration key, secret key, and API host name from the Details section of the Web SDK page.

In addition to adding the Duo configuration information in the Workspace ONE Access console, you select the user name format to use to look up users in Duo. The format can be the user name or email address. Make sure that the user name or email address in the Duo user accounts match the user name or email address in the Workspace ONE directory. Otherwise authentication with Duo fails.

Note: If more than one domain is configured in your Workspace ONE Access environment or if multiple users have the same name, select the email address as the user name format.
When Duo is configured as the second authentication method, Duo manages the end user's experience after they are authenticated in Workspace ONE Access.
  • Users must be enrolled into the Duo Security service to use DUO multi-factor authentication. If a user is not enrolled when they log in, after Workspace ONE Access is used to authenticate them, the Duo service prompts them to self-enroll. Users are guided through the Duo installation and configuration process.
  • After users are enrolled in Duo, when users sign in, Workspace ONE Access authenticates the user. Duo sends a sign-in request to the user’s device. The user responds to the Duo request and is authenticated.


  • A Workspace ONE Access account created in the Duo Security service.
  • In the Duo Web SDK page, copy the following information.
    • Integration key
    • Secret key
    • API host name
  • Determine the user name format to use, either user name or email address.


  1. In the Workspace ONE Access console Identity & Access Management tab, go to Manage > Authentication Methods.
    1. In the Duo Security row, click the pencil icon.
    2. Configure the Duo Security settings.
      Option Description
      Enable Duo Security Enable Duo Security authentication.
      Integration Key Enter the integration key from the Duo.Web SDK page.

      The integration key with the secret key uniquely identifies Workspace ONE Access to Duo.

      Secret Key Enter the secret key from Duo Web SDK page.
      API Host Name Enter the API host name from the Duo Web SDK page. The API host name is unique to your Workspace ONE account in Duo. The host name is used to verify user identities.
      Username Format Select either username or email address as the user name format that to use to look up users in Duo.
      Duo Authentication Timeout (sec) Workspace ONE Access manages when the response to the Duo authentication request expires in the Workspace ONE Access service. Enter the time in seconds to wait for a response. The timeout setting can be set from 30 and 180 seconds. The default is 120 seconds.
    3. Click Save.
  2. Navigate to Manage > Identity Providers and select the Built-In identity provider.
    1. In the Authentication Methods section, select Duo Security.
    2. Click Save.

What to do next

Create the access policy rule to use Duo Security as the second authentication method for two-factor authentication in Workspace ONE Access.