Empower your users with the ability to manage their authentication devices by enabling Duo's self-service portal for your applications.
Duo's self-service portal saves time for both administrators and end users by eliminating the need to contact IT staff for authentication device changes. Your users can add, edit, and remove authentication methods from the Duo traditional prompt or Universal Prompt while logging in to protected applications.
The self-service portal feature is part of the Duo Beyond, Duo Access, and Duo MFA plans.
The self-service portal is an available option for Duo web-based applications, VPN applications, Duo Single Sign-On and Duo Access Gateway applications, Microsoft applications that offer inline self-enrollment and authentication prompt, such as Cisco SSL VPNs, Office 365, and Microsoft OWA.
Role required: Owner, Administrator, or Application Manager.
Duo's self-service portal is enabled on a per-application basis. To enable self-service for one of your applications:
Log into the Duo Admin Panel and click Applications in the left sidebar.
Click an application's name to open that application's properties page.
The self-service portal configuration option is present under "Settings" if the application supports the self-service portal feature. Check the Let users manage their devices box to enable self-service for that application.
Click the Save Changes button at the bottom of the application's properties page.
If you enable self-service for an application, consider disabling phone callback as an authentication method or applying some additional policy controls to the application, such as restricting User Location to your expected countries, or reducing your max credits per action telephony setting to only the credit amount needed for phone calls to your users' expected locations to avoid telephony misuse via the self-service portal.
With self-service enabled your users can enroll a new mobile phone, tablet, landline, security key, or Touch ID on a Mac. They can also rename an existing phone or tablet device, activate Duo Mobile, set a phone or tablet device as the default for Duo Push and phone call, or remove an existing device. Users may remove (but not add) hardware tokens from the device management portal as well.
After passing primary authentication, users see Add a New Device and My Settings & Devices links on the Duo two-factor authentication page. Duo authentication is required for access to the self-service pages.
Your end users can quickly add another authentication device with the Add a New Device utility, while clicking My Settings & Devices prompts the user to complete two-factor authentication, then shows the device management portal.
In the Universal Prompt preview, users can register Duo Push for a new smartphone or tablet, add WebAuthn methods like Touch ID on a Mac or security keys from supported browsers, or add a mobile or landline phone for SMS and phone call verification. They can also rename or remove an existing Duo Push, security key, Touch ID, or phone device. Users may remove (but not add) hardware tokens from the device management portal as well.
After passing primary authentication, users click the Other options link shown on the Duo authentication screen to return to the device list. The Manage devices option is at the bottom of the device list. Duo authentication with a previously added authentication method or a bypass code provided by a Duo administrator is required to gain access to device management.
Users can rename or remove existing devices with the Edit options, or use Add a device to register another authentication device.
For additional information about device management from the Universal Prompt, see Add or Manage Devices After Enrollment in the Duo user guide.