Configure Cisco Duo Security for MFA

Configure Cisco Duo Security for MFA

Cisco Duo is a multi-faceted authentication provider and can only be used on your Auth0 tenant if all other factors are disabled. Your Duo account can be configured to support push notifications, SMS, OTP, phone callback, and more.

If other factors are enabled with other providers, you cannot also enable Duo. Duo is only available to users when it is the sole factor enabled.

The user will see a prompt for the second factor with Duo, listing the options you have enabled in your Duo account.

Security Multi-Factor Authentication Cisco Duo Security Login screen example

Your users can download Duo from Google Play or from the App Store for use as a second factor.


Create an integration in Duo Security of type Web SDK and capture the assigned credentials. See the Duo documentation for more details on Duo setup.

Configure Duo

You will use the Duo credentials to fill in the Duo settings in the Auth0 Dashboard.

  1. Go to Dashboard > Security > Multi-factor Auth > Duo Security and enable it.

  2. Enter the information in the fields to link your Duo account to Auth0.

    Dashboard - Security - Multifactor Auth - Duo Security
  3. Click Save.

Enabling Duo from Rules

If you want to enable Duo from Rules, you need to use set provider : 'duo' :

function (user, context, callback) {
  context.multifactor = {
    provider: 'duo',
    allowRememberBrowser: false

  callback(null, user, context);

Was this helpful?


Note that Duo does not provide an option for "Remember Me" behavior, so a 30-day MFA session is hard-coded to remember a logged-in user and not prompt them every time they log in.

If you want to force your users to log in with Duo every time, you can create a rule with allowRememberBrowser: false.

Current Limitations

  • You cannot use Auth0 MFA Enrollment Tickets to enroll users with DUO, you will need to onboard those users from DUO itself.

  • If you use New Universal Login, DUO needs to be enabled from a rule with provider:'duo' as described above. You could conditionally use DUO for some applications, and the built-in Auth0 providers for others.

Learn more