Empower your users with the ability to manage their authentication devices by enabling Duo's self-service portal for your applications.
Duo's self-service portal saves time for both administrators and end users by eliminating the need to contact IT staff for authentication device changes. Your users can add, edit, and remove authentication methods from the Duo traditional prompt or Universal Prompt while logging in to protected applications.
The self-service portal feature is part of the Duo Premier, Duo Advantage, and Duo Essentials plans.
The self-service portal is an available option for Duo web-based applications, VPN applications, Duo Single Sign-On and Duo Access Gateway applications, Microsoft applications that offer inline self-enrollment and authentication prompt, such as Cisco SSL VPNs, Office 365, and Microsoft OWA.
Role required: Owner, Administrator, or Application Manager.
Duo's self-service portal is enabled on a per-application basis. To enable self-service for one of your applications:
Log into the Duo Admin Panel and click Applications in the left sidebar.
Click an application's name to open that application's properties page.
The self-service portal configuration option is present under "Settings" if the application supports the self-service portal feature. Check the Let users manage their devices box to enable self-service for that application.
Click the Save Changes button at the bottom of the application's properties page.
If you enable self-service for an application, consider disabling phone callback as an authentication method or applying some additional policy controls to the application, such as restricting User Location to your expected countries, or reducing your max credits per action telephony setting to only the credit amount needed for phone calls to your users' expected locations to avoid telephony misuse via the self-service portal.
Role required: Owner or Administrator
You can apply a separate policy to the self-service portal within the Universal Prompt and Duo Central device management. This allows for stricter access while maintaining a different policy for normal application access. This policy will be applied anywhere the self-service portal is enabled. Access to the self-service portal is still enabled on a per-application basis.
To enable the self-service portal policy:
Log into the Duo Admin Panel and click Policies in the left sidebar.
Click on Self-Service Portal in the left sidebar under "Policies".
Under "Policy" click on Apply a policy to all users to apply a self-service portal policy for all users. Follow the policy documentation on how to create and apply a custom application policy.
Duo recommends only allowing phishing-resistant authentication methods. We recommend only enabling the following authentication methods:
Scroll down to "Settings". These settings are a portion of the same settings seen in a 2FA application's settings. See application options for more information. Once you have configured the settings, click Save.
If self-service portal policy isn't already enabled, select the radio button next to Use the policies below to control access to the self-service portal at the top of the page.
Click Apply policies. The self-service portal page shows the policies enabled.
Please note the following restrictions:
Once enabled, you can view when users access the self-service portal in the authentication logs.
The self-service portal options for Duo Central, the application access portal for Duo Single Sign-On, go beyond device management during login, and provide access to the device management portal for users after completing primary and secondary Duo authentication from a convenient "Manage Devices" link in Duo Central, or from a standalone device management URL that can be provided directly to users.
With self-service enabled your users can enroll a new mobile phone, tablet, landline, security key, or Touch ID on a Mac. They can also rename an existing phone or tablet device, activate Duo Mobile, set a phone or tablet device as the default for Duo Push and phone call, or remove an existing device. Users may remove (but not add) hardware tokens from the device management portal as well.
After passing primary authentication, users see Add a New Device and My Settings & Devices links on the Duo two-factor authentication page. Duo authentication is required for access to the self-service pages.
Your end users can quickly add another authentication device with the Add a New Device utility, while clicking My Settings & Devices prompts the user to complete two-factor authentication, then shows the device management portal.
In the Universal Prompt, users can register Duo Push for a new smartphone or tablet, add WebAuthn methods like Touch ID on a Mac or security keys from supported browsers, or add a mobile or landline phone for SMS and phone call verification. They can also rename or remove an existing Duo Push, security key, Touch ID, or phone device. Users may remove (but not add) hardware tokens from the device management portal as well.
After passing primary authentication, users click the Other options link shown on the Duo authentication screen to return to the device list. The Manage devices option is at the bottom of the device list. Duo authentication with a previously added authentication method or a bypass code provided by a Duo administrator is required to gain access to device management.
Users can rename or remove existing devices with the Edit options, or use Add a device to register another authentication device.
For additional information about device management from the Universal Prompt, see Add or Manage Devices After Enrollment in the Duo user guide.