# 2FA with Duo

Keeper Connection Manager provides support for Duo as a second authentication factor, automatically verifying user identity with Duo after the user is initially authenticated. This integration utilizes the [Duo Web SDK](https://duo.com/docs/duoweb) V4.

### Duo Setup

From the DUO Security Admin portal:

* Select "Protect an Application"
* Search for "Web SDK" (Do NOT select Keeper Security - this is for the Vault only)
* Select Web SDK and click "Protect"
* Capture the Client ID, Client Secret, and API Hostname
* Provide these 3 configuration options as DUO\_\* environment variables in the `keeper/guacamole` Docker image.

### Docker Environment Variables

The image `keeper/guacamole` section in the docker-compose.yaml file can be modified to support Duo using environment variables.

| Environment Variable | Description                                                                                                                                                                                                                                         |
| -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `DUO_API_HOSTNAME`   | **REQUIRED.** The hostname of the Duo API endpoint that will be used to verify user identities, assigned by Duo when Guacamole was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel. |
| `DUO_AUTH_TIMEOUT`   | The timeout, in minutes, for in-progress Duo authentication attempts. Authentication attempts exceeding this duration will be invalidated. By default, Duo authentication attempts will time out after 5 minutes.                                   |
| `DUO_CLIENT_ID`      | **REQUIRED.** The client ID provided for you by Duo when KCM was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.                                                                   |
| `DUO_CLIENT_SECRET`  | **REQUIRED.** The client secret provided for you by Duo when KCM was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.                                                               |
| `DUO_REDIRECT_URI`   | **REQUIRED.** The user-facing URI that the Duo service can use to redirect an authenticated user's browser back to KCM. This is the URI that you use for the KCM deployment, e.g. `https://kcm.company.com`                                         |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeper-connection-manager/authentication/using-duo-for-multi-factor-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.